Summary
The RomCom threat actor has been carefully following geopolitical events surrounding the war in Ukraine, targeting militaries, food supply chains, and IT companies. In RomCom’s latest campaign, the Arctic Wolf® Labs team observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S.
This report is the first part of our research covering the details of RomCom’s latest malicious campaign, while the second part will cover RomCom’s behaviors, including detection engineering.
Brief MITRE ATT&CK® Information
| Tactic | Technique |
| TA0043 | T1598, T1598.002 |
| TA0001 | T1189 |
| TA0002 | T1559, T1218, T1204, |
| TA0003 | T1546.015 |
| TA0005 | T1027, T1140, T1036, T1564.001, T1112 |
| T15007 | T1057, T1083, T1082, T1217 |
| TA0009 | T1113 |
| TA0010 | T1041 |
| TA0011 | T1090, T1071, T1071.001, T1095, T1573.002, T1105 |
| TA0040 | T1486 |
Weaponization and Technical Overview
| Weapons | Trojanized applications, x64 dll payloads |
| Attack Vector | Spear-phishing |
| Network Infrastructure | Cloned websites, C2 servers using self-signed SSL certificates |
| Targets | Politicians from Ukraine, U.S.-based Healthcare organizations |
Technical Analysis
Context
In mid-March 2023, we noticed an uptick in telemetry related to our tracking of the operator behind the RomCom remote access trojan (RAT). This uptick encompassed the creation of several new domains and associated artifacts, one of which, startleague[.]net, was linked to a file correlating to the SHA-256 c94e889a6c9f4c37f34f75bf54e6d1b2cd7ee654cd397df348d46abe0b0f6ca3, titled RemoteDesktopManager.2022.3.35.0.exe.
What is Remote Desktop Manager?
As its name suggests, Devolutions Remote Desktop Manager (RDM) is a legitimate utility designed to help facilitate secure remote connectivity. It is compatible with many commonly used remote connection utilities and technologies such as Citrix, FTP, Apple Remote Desktop, TeamViewer, LogMeIn, Microsoft Remote Desktop (RDP), SSH Shell, and many more.
According to the developer’s website:
“Remote Desktop Manager is an application that integrates a comprehensive set of tools and managers to meet the needs of any IT team. It is designed to centralize remote connection technologies, credentials, and secure access to these resources. Most connections are established using either an external library or third-party software.”
Attack Vector
Although it is unclear at this point what initial infection vector was used to kick off the execution chain, previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software. There is a high likelihood that this is the same in this case, as the tactics, techniques, and procedures (TTPs) align. We have confirmed that a cloned website was used to host a malicious specially crafted Installer for the Trojanized version of Devolutions Remote Desktop Manager, and that this malicious website was almost indistinguishable from the legitimate one.
The fake domain utilized a form of typosquatting to attempt to appear as close to the real one as possible. This kind of domain (ab)use is common in phishing attacks of all kinds, when threat actors set up online infrastructure with one thing in common: trying to fool the user into believing they are interacting with the real company or organization, by making their fake website look as much like the real one as possible.
It is important to understand that just because a website has a company name you know and trust in the URL, that doesn’t mean the site you are visiting is owned or operated by that company.
| Real Domain | Fake Domain |
| devolutions[.]net | rdp-devolutions[.]com |
Figure 1: Example of the real (L) and fake (R) Remote Desktop Manager websites side by side.
As shown in Figure 2 below, the malicious file Installer.RemoteDesktopManager.2022.3.35.0.exe is hosted on the observed cloned/fake website.
Figure 2: rdp-devolutions[.]com malware URL.
Weaponization
Once downloaded by the user, the Trojanized installer from the cloned website makes every attempt to appear legitimate. Statically, it is a 64-bit executable (.exe) which is signed by an in-date digital signature.
However, further analysis into the legitimate download of Devolutions RDM suggests the signing information does not correlate and is, in fact, issued by a completely different organization. The fraudulent certificate obtained from the malicious installer is shown below in Figure 3.
Figure 3: Digital signature of the trojanized Installer.
Upon execution of the trojanized main setup file, Installer.RemoteDesktopManager.2022.3.35.0.exe, the user is prompted to select the destination path of where they’d like the file(s) to be installed.
Figure 4: Setup Installer for the trojanized DRDM.
Unbeknownst to the victim, during this prompt, the malware has already begun its execution chain. The malware drops various components into a hidden path via C:\\Users\\Public\\Libraries. (Further details can be found below in our Indicators of Compromise list.)
Dropped binaries:
- update.conf
- Installer.RemoteDesktopManager.2022.3.35.0.exe
- netid4050320587.dll
- prxyms4050320587.dll
- desktop.ini (already present)
- Recorded TV (already present)
Figure 5: Components dropped by RomCom are deployed, regardless of ‘Setup’.
The core malicious binary related to RomCom is the file %netid4050320587.dll0%. This Dynamic-Link Library (.DLL) is executed via the Windows host process RunDLL32 in the background while the unsuspecting victim tries installing the fake software.
This malicious binary is executed, as seen in Figure 6 below, via:
C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\Libraries\\netid4050320587.dll0,Main netid4050320587.dll0
Figure 6: Execution of the core RomCom DLL.
The malicious dropper contains a legacy installer for the legitimate program to masquerade its purposes further. This installer is dropped both in C:\\Users\\User\\AppData\\Local\\Temp\\%js-TIDj8.tmp%\\ and C:\\Users\\Public\\Library\\. The SHA-256 is b1b015f3762b4b9bfce928401a3b13beee5fb70c989b97a03d57545fc00a1978
In addition to deploying and executing its payload of malware, this Installer will continue seemingly as intended, so the user is left none the wiser.
On execution (as of April 2023), the Installer for the fake Devolutions Remote Manager will fail its setup as it cannot send data to the real Devolutions server. When the Installer receives this error, the installation terminates.
Meanwhile, the malware has been stealthily deployed on the victim host by the decoy Installer and has begun to carry out its malicious activities.
Figure 7: Continuation of trojanized Installer.
The function of the malicious files dropped is as follows:
- %netid3231462335.dll% – This is the core RomCom RAT payload. It is a new version of the implant we initially uncovered last Fall. Improvements were made to its obfuscation to thwart static analysis.
- The application’s core functionality remains relatively the same, enabling the threat actor full access to the victim’s device.
- %prxyms1500330613.dll% – This is the RomCom Loader file. This file is used to execute RomCom via the command line.
- procsys.dll – This is a browser stealer, and steals browser data such as passwords, browsing history, and site cookies.
- update.conf – A small supporting configuration file for RomCom.
The full execution chain is shown below in Figure 8.
Figure 8: Execution of trojanized RomCom Installer (Click to enlarge).
Networking
Upon successful installation, RomCom will enumerate the infected host and gather some basic host and user metadata, which is then sent to its command-and-control (C2) server – startleague[.]net – to “check in”.
Figure 9: Request sent via the WinHTTP API.
Additionally, this can be noted via the TCP Stream shown in Figure 10 below.
Figure 10: Wireshark capture of initial RomCom communication.
If, for any reason, a connection attempt to its C2 is unsuccessful, the malware appears to have some redundancy. If its initial requests cannot be handled, it will attempt to connect via ICMP Requests instead.
Figure 11: Request sent via ICMP to RomCom’s C2.
Additionally, this can be seen in Figure 12 (below) in a network capture.
Figure 12: ICMP request to C2 related to RomCom.
Network Infrastructure
As mentioned previously, the purpose of the domain rdp-devolutions[.]com is to host RomCom’s cloned website, both hosting and delivering a Trojanized/fake version of the Devolutions’ Remote Desktop Manager software.
The domain was registered on 2023-03-09 and initially tied to the IP address 91.235.116[.]232 for the time period 2023-03-11 to 2023-03-30, when it was updated to resolve to the IP address 74.119.239[.]234.
| Domain name | IP | ASN | Purpose |
| rdp-devolutions[.]com | 74[.]119[.]239[.]234 | AS51177
TIPZOR MEDIA SRL, RO |
Malware hosting |
| startleague[.]net
|
46[.]246[.]98[.]15
|
AS42708
CLOUD HOSTING, SE |
C2 server
|
The domain startleague[.]net was registered on 2022-12-19 and tied to the IP address 2.57.90[.]16. This continued until 2023-01-30, when it began resolving to the IP address 46.246.98[.]15.
Figure 13: VirusTotal graph showing the network infrastructure (Click to enlarge).
Targets
During the course of our investigations, Arctic Wolf® identified several victims primarily based in Ukraine. This aligns with previously seen geolocations targeted by RomCom. We have also observed evidence of at least one target based in the United States.
The victims targeted are involved in several dissimilar industries such as Military and Healthcare, united by the common thread of Russia’s invasion of Ukraine.
Figure 14: Geolocation of victims targeted in this RomCom campaign.
Additional Findings
GoTo Meeting
Over the course of our investigations, a similar binary was observed containing a confirmed RomCom implant. This time it was deployed within a trojanized installation of “GoTo Meeting”, a popular video conference software commonly used by a variety of enterprises, both large and small.
Following similar TTPs of previously observed samples of RomCom, the initial attack vector is a faked/cloned website that appears identical to the legitimate one. Below is an example of the cloned website for “GoTo Meeting”.
Figure 15: Faked/cloned website of the legitimate video conferencing app “GoTo Meeting”.
Like other samples of RomCom, it too hosts a trojanized installer containing a legitimate binary related to the intended product/service, whilst also containing a RomCom implant that will execute during installation by the user.
Details of this observed find are below:
| SHA-256 | a552b0b1c948e0ef4e51088f059c280a967ff40bf93ff9d62ebeb74e80f36fc5 |
| File Name | GoTo Meeting Opener.msi |
| File Size | 21.02 MB (22040576 bytes) |
| Created | 2022-06-30 12:11:22 UTC |
| Description | Trojanized installer containing RomCom RAT |
WinSCP
Furthermore, at the beginning of May 2023, a Twitter user with the handle @TLP_R3D identified a “potential RomCom C2” infrastructure noted via this tweet. Upon analyzing the noted IOCs, the Arctic Wolf Labs team confirmed that the samples in the attack chain indeed contained a RomCom payload.
Unlike previous samples of RomCom observed through our own investigations, this sample of RomCom masqueraded as the popular SSH file-transfer tool WinSCP, but it does not contain the RomCom payload itself.
Upon execution of WinSCP-5.21.8-Setup.exe, the malware will attempt to reach out to the noted IOCs (below) to download and execute itself.
- hxxp://104.234.10.207:7931/itrdd/kcrs/file1[.]txt
- hxxp://104.234.10.207:7931/itrdd/kcrs/file2[.]txt
It was confirmed by Arctic Wolf that these two files contain both the RomCom loader and the RomCom RAT payload itself.
| SHA-256 | c118895776e75eaa291d2a5f54f1de4f48756aec28cebaa1bf6fd9beb5d36301 |
| File Name | WinSCP-5.21.8-Setup.exe |
| File Size | 1.22 MB (1280048 bytes) |
| Created | 2023-05-03 10:15:01 UTC |
| Description | RomCom downloader |
Timeline of RomCom Attacks
Below is a timeline of all known RomCom attacks to date, including the name of the software Trojanized to deliver the malware payload in each attack.
Figure 16: Timeline of known RomCom attacks.
Conclusions
Since at least mid-2022, RomCom has been a persistent threat affecting largely Ukrainian-based organizations, including both Government and Military. As the conflict between Ukraine and Russian forces escalates in Eastern Europe, the world becomes increasingly polarized by their support of one side or the other, whether on the ground in Ukraine via the provision of military supplies, or on a country’s own home turf via healthcare provided to those fleeing the conflict.
Following its observed Ukrainian-based targets, the RomCom group has been sighted by Arctic Wolf targeting other possibly pro-Ukrainian affiliated organizations – namely those based in the U.S. – in recent months. The last-observed campaigns target politicians in Ukraine, and a U.S.-based healthcare institution running a humanitarian aid program for refugees fleeing from Ukraine.
The threat actor behind the RomCom RAT appears to be actively interested in what Western countries are doing to support Ukraine, what Ukraine is doing, and who the refugees are receiving help from in the United States. If medical records stored electronically are stolen, it would be easy for the threat actor (and those they are affiliated with) to profile the patient and use that data in future war scenarios and in geopolitics in general.
Even the extraction of partial information, such as name, sex, date of birth, and related data, poses a potential risk to that person and those who provide them with any type of aid in future.
Indicators of Compromise (IOCs)
Main Binary
| SHA-256 | 6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d |
| File Name | Installer.RemoteDesktopManager.2022.3.35.0.exe |
| File Size | 6.91 MB (7244272 bytes) |
| Created | 2023-03-10 11:30:07 UTC |
| Details | Main Windows 64-bit (Signed Binary) contains installer and bundled RomCom malware |
Main Binary – Digital Certificate
| Name | Noray Consulting Ltd. |
| Serial Number | 56 E1 49 7E FD DA B4 55 B2 35 E6 0C 3C 53 E7 F4 |
| Name | SSL.com Timestamping Unit 2022 |
| Serial Number | 1A D6 08 A7 D6 34 B5 CD DE 97 CB A3 CC F0 D0 4B |
Main Binary – Drop Files (%Users%\\Public\\Libraries)
| SHA-256 | c94e889a6c9f4c37f34f75bf54e6d1b2cd7ee654cd397df348d46abe0b0f6ca3 |
| File Name | installer.RemoteDesktopManager.2022.3.35.0.exe |
| File Size | 1.59 MB (1671808 bytes) |
| Created | 2023-02-15 14:54:16 UTC |
| Description | Legitimate Devolutions RDM installer |
| SHA-256 | 0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a |
| File Name | netid3231462335.dll0
netid3283347891.dll netid [0-9] .dll |
| File Size | 2.57 MB (2696704 bytes) |
| Created | 2023-03-10 10:56:58 UTC |
| Description | Core RomCom binary |
| SHA-256 | 65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d |
| File Name | prxyms3231462335.dll |
| File Size | 2.54 MB (2660864 bytes) |
| Created | 2023-03-10 10:57:01 UTC |
| Description | RomCom Loader |
| SHA-256 | 8d805014ceb45195be5bab07a323970a1aa8bc60cdc529712bccaf6f3103e6a6 |
| File Name | procsys.dll |
| File Size | 3.67 MB (3848704 bytes) |
| Created | 2023-03-23 04:16:43 UTC |
| Description | Additional infostealer |
GoTo Meeting Opener Drop Files (%Users%\\Public\\Libraries)
| SHA-256 | 3b26e27031a00a32f3616de5179a003951a9c92381cd8ec552d39f7285ff42ee |
| File Name | MSI420A.tmp |
| File Size | 20.88 MB (21899264 bytes) |
| Created | 2023-02-15 06:04:43 UTC |
| Description | RomCom RAT Dropper created by GoTo Meeting opener |
| SHA-256 | 3e293680e0f78e404fccb1ed6daa0b49d3f6ea71c81dbaa53092b7dd32e81a0d |
| File Name | netid [0-9] .dll |
| File Size | 5.02 MB (5266432 bytes) |
| Created | 2023-02-14 13:59:54 UTC |
| Description | Core RomCom binary |
| SHA-256 | 916153d8265a2f9344648e302c6b7b8d7e1f40f704b0df83edde43986ab68e56 |
| File Name | prxyms[0-9] .dll |
| File Size | 4.97 MB (5215744 bytes) |
| Created | 2023-02-14 13:58:54 UTC |
| Description | Loader RomCom binary |
| SHA-256 | e7914f823ed0763c7a03c3cfdbcf9344e1da93597733ac22fe3d31a5a4e179aa |
| File Name | winipfile[0-9] .dll |
| File Size | 5.41 MB (5676544 bytes) |
| Created | 2023-02-14 14:00:20 UTC |
| Description | RomCom binary |
WinSCP-5.21 Drop Files (%Users%\\Public\\Libraries)
| SHA-256 | a5dae9b7ff88276f699eece44eb4b183f1b1de6bef9e159c417ba621a949f744 |
| File Name | bnert.dll0 |
| File Size | 390.00 KB (399360 bytes) |
| Created | 2023-05-03 10:01:38 UTC |
| Description | RomCom binary |
| SHA-256 | 1308146f161ed60c86532dd2d2de8de8b0401e27023fc56f83903f137fccacfd |
| File Name | xlmtdm.dll |
| File Size | 185.50 KB (189952 bytes) |
| Created | 2023-05-03 10:04:11 UTC |
| Description | RomCom loader |
Networking
| Domain | rdp-devolutions[.]com |
| IP | 74.119.239[.]234 |
| Domain |
startleague[.]net |
| IP | 46.246.98[.]15 |
| IP | 104.234.10[.]207:7931 |
About Arctic Wolf Labs
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.
Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
This article was originally posted on the BlackBerry® blog on June 7, 2023. Arctic Wolf acquired Cylance® and its research teams from BlackBerry in February 2025. The BlackBerry Research and Intelligence team is now part of Arctic Wolf Labs.
