|
The threat actor dubbed “RomCom,” known for deploying spoofed versions of popular software, has been quite busy these past few months. In the past, he was seen imitating Advanced IP Scanner and PDF Filler. More recently, though, he’s been targeting Ukraine, the U.K., and other English-speaking countries by spoofing SolarWinds, KeePass, PDF Reader Pro, and Veeam.
Victims who download the fake tools install a malicious code into their devices that can collect data, take screenshots, and send these to command-and-control (C&C) servers. While RomCom employs sophisticated obfuscation techniques, he may have left some trails. WhoisXML API researchers analyzed published indicators of compromise (IoCs) and expanded the list to find suspicious properties that RomCom or other threat actors may own and could weaponize. Here are some of our key findings.
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Based on BlackBerry and Palo Alto Network research, we gathered seven domains and one IP address tagged as IoCs related to RomCom. All except one domain fell under the .com top-level domain (TLD). Using WHOIS Search to dig into these properties, we determined the following:
Administration: IoC management fell under the purview of several registrars. Two belonged to PDR Ltd.; another two to Porkbun; and the rest to Hosting Concepts, DropCatch, and OwnRegistrar.
A deeper investigation led us to more than 2,600 artifacts. We detailed how we retrieved these properties below.
Knowing that RomCom’s signature tactic is to spoof well-known software, we looked for possible cybersquatting resources bearing the names of such targets. We retrieved more than 1,200 domains and subdomains added between 1 June and 18 November 2022 broken down into their spoofed targets.
Spoofed Software | Legitimate Website | Search String | Number of Possible Cybersquatting Resources |
---|---|---|---|
SolarWinds Network Performance Monitor | solarwinds[.]com/network-performance-monitor | “solarwind” | 387 |
KeePass Open-Source Password Manager | keepass[.]info | “keepas” | 128 |
PDF Reader Pro | pdfreaderpro[.]com | “pdfreader” | 43 |
Advanced IP Scanner | advanced-ip-scanner[.]com | “advance + -ip” ”-ip + scan” | 52 |
PDF Filler | pdffiller[.]com | “pdf + filler” | 52 |
Veeam Backup and Recovery Software | veeam[.]com | “veeam” | 589 |
Samples of the cybersquatting properties can be found in the Appendix.
Our DNS analysis on the IoCs revealed five IP hosts, which led us to 832 connected domains after running them through Reverse DNS Search. While some of these properties may be innocently connected to the IP addresses, others appear suspicious.
For instance, we found domains that seem to be spoofing Microsoft Azure, AnyDesk, Google Translate, and Google Analytics.
Another method for finding artifacts is through Reverse WHOIS Search. Since the domains registered using the proton[.]me email addresses were managed by PDR Ltd., we used the registrar name and email domain as search strings. We found 641 domains with PDR Ltd. and proton[.]me email addresses.
The WHOIS-connected artifacts turned out to be suspicious, too. For instance, some of them seemed to be spoofing Scotia Bank, Bank of America, and Farmer National Bank, as seen below.
We also found domains consistent with the RomCom IoCs, such as those targeting SolarWinds Network Performance Monitor and Veeam.
About 3% of the artifacts we discovered turned out to be malicious, most notably:
Our analysis of the artifacts’ web content also proved interesting. For example, this is the content of the legitimate Keepass website.
Meanwhile, the domain keepas[.]space hosted a look-alike page (at the time of writing).
Other suspicious content hosted on the artifacts were consistent with those used in RomCom campaigns. Some of them are shown below.
Several PDF Filler domains that have been flagged as malicious continued to host a Windows Server page like this.
Various domains that host web pages bearing the SolarWinds logo and colors may indicate a broader campaign targeting the company. Here are some examples.
To recall, some of the malicious artifacts found seemed to target banks, logistics companies, and other products outside RomCom’s known targets. These properties may belong to other threat actors. Regardless of the entities behind the suspicious artifacts, the damage they can incur remains the same.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API