RomCom RAT found in applications from spoofed Veeam, SolarWinds and KeePass websites Howard Solomon November 4, 2022 https://www.itworldcanada.com/article/romcom-rat-found-in-applications-from-spoofed-veeam-solarwinds-and-keepass-websites/511672?utm_source=Security&utm_medium=enews&utm_campaign=Security&scid=b2344d5a-4609-b432-f662-4e60014e6876 "The websites of popular business applications from Veeam, SolarWinds, KeePass and PDF Technologies are being spoofed by a threat actor to spread the RomCom remote access trojan (RAT), according to researchers at BlackBerry and Palo Alto Networks." ... "The threat actor’s campaigns are simple: The creation of virtually identical websites for brand name software providers that organizations might use, by scraping the companies’ original legitimate HTML code. The gang hopes victims will download trial versions or pay for the applications. What they download is infected software." ... "The BlackBerry report includes indicators of compromise for the RAT." The BlackBerry report: RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom 11.02.22 / The BlackBerry Research & Intelligence Team https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass
Wow scary stuff. But it's not clear to me how these trojanized versions of legitimate tools would work in practice. It seems to me that this RomCom RAT will run as a standalone tool which means that malicious activities should be easier to spot. So it's not trying to hide behind the legitimate tools if I understood correctly.
