The operators of RomCom RAT malware are continuing to evolve their campaigns by distributing rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro via fake copycat websites.

Targets of the operation consist of victims in Ukraine and select English-speaking countries like the U.K.

“Given the geography of the targets and the current geopolitical situation, it’s unlikely that the RomCom RAT threat actor is cybercrime-motivated,” the BlackBerry Threat Research and Intelligence Team said in a new analysis.

The latest findings come a week after the Canadian cybersecurity company disclosed a spear-phishing campaign aimed at Ukrainian entities to deploy a remote access trojan called RomCom RAT.

The unknown threat actor has also been observed leveraging trojanized variants of Advanced IP Scanner and pdfFiller as droppers to distribute the implant.

The latest iteration of the campaign entails setting up decoy lookalike websites with a similar domain name, followed by uploading a malware-laced installer bundle of the malicious software, and then sending phishing emails to targeted victims.

Fake Keypass website
Fake SolarWinds website

“While downloading a free trial from the spoofed SolarWinds site, a legitimate registration form appears,” the researchers explained.

“If filled out, real SolarWinds sales personnel might contact the victim to follow up on the product trial. That technique misleads the victim into believing that the recently downloaded and installed application is completely legitimate.”

It’s not just SolarWinds software. Other impersonated versions involve the popular password manager KeePass and PDF Reader Pro, including in the Ukrainian language.

The use of RomCom RAT has also been linked to threat actors associated with the Cuba ransomware and Industrial Spy, according to Palo Alto Networks Unit 42, which is tracking the the ransomware affiliate under the constellation-themed moniker Tropical Scorpius.

Given the interconnected nature of the cybercriminal ecosystem, it’s not immediately evident if the two sets of activities share any connections or if the malware is offered for sale as a service to other threat actors.

“The apparent RomCom connection to Cuba Ransomware and Industrial Spy groups is based on the network configuration link, which might also be used as a distraction,” BlackBerry’s Dmitry Bestuzhev said. “Given the nature of the targets and geographical location of the victims, it’s evident the motivation is not a financial one.”

Update: Palo Alto Networks Unit 42 said it also uncovered an instance of RomCom RAT packaged as an installer for the Veeam Backup & Replication software that’s hosted on a malicious domain named “wveeam[.]com.”

Like in the case of SolarWinds, downloading the installer file redirects the victim to a form that prompts the victim to enter their personal details. What’s more, the size of the modified installer is more than 10GB, allowing it to bypass automated security solutions.

“These tools are typically used by Western mid-size organizations,” Pete Renals, principal researcher at Unit 42, told The Hacker News in a statement. “Based on Unit 42’s analysis of RomCom targeting, infrastructure, and packaging, it suggests that this campaign is more broad than an APT focus.”

“As of now, we have only seen RomCom malware used by Cuba ransomware,” Doel Santos, senior threat researcher at Unit 42, further added.