Decoding RomCom: Behaviors and Opportunities for Detection

The threat actor behind the RomCom RAT has been particularly active since the beginning of Russia’s invasion of Ukraine. Since its discovery, we have carefully followed its campaigns and referred to it as an unattributed threat actor, although for the purposes of this report we’ve referred to it simply as RomCom. However, RomCom’s capabilities prove that the threat actor is a nation-state or a nation-state-affiliated threat actor.

In this report, we provide behavioral detection tips for the RomCom campaign targeting U.S.-based healthcare organizations providing humanitarian assistance to refugees from Ukraine. We also provide YARA rules to detect exploits and payloads from the RomCom campaign targeting the latest NATO summit in Vilnius, which was held on July 11-13, 2023.

Brief Combined MITRE ATT&CK® Information

Weaponization and Technical Overview

Technical Analysis

Context

An unattributed threat actor observed to be using the RomCom RAT has been actively targeting first Ukraine, and then Western countries supporting Ukraine, since the Russian invasion. The group was discovered in the middle of 2022. Since then, it has been seen deploying a range of techniques, from spreading through melted (Trojanized) applications via social engineering, to spear-phishing emails sent to people attending the last NATO summit in Vilnius. The latter was weaponized by exploits, including N-day (an exploited vulnerability that has a patch available) and zero-day techniques.

Let’s take a closer look at some of these campaigns:

ROMCOM CAMPAIGN #1: “Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine”

(NOTE: A private version of this report is available for commercial cyber threat intelligence (CTI) customers under the UUID 57cdfd5b-3db2-4ca7-ba39-bab4ce22c159, while the public version of the report is available here.)

Behavioral Detection Opportunities Analysis

Fake Remote Desktop Manager Application

That is a melted binary the victim downloads and runs. It initiates the following sequence of activities in the victim system.

File Activity

Throughout the execution chain, multiple relevant file events offer valuable insights into the malware’s activities. The path C:UsersPublicLibraries emerges as a prominent location extensively utilized throughout the infection process.

Upon the user’s execution of the payload, a series of files are generated within the path mentioned above. The extensions of the files created are:

• .dll
• .dll0
• .conf
• .exe

Each of these files serves a specific purpose within the infection ecosystem, encompassing secondary payloads, file configurations, and the real binary of the Trojanized application.

The following illustrates a generated event showing a Trojanized app running on an operating system (OS) through the event ID 11 associated with FileCreate in Sysmon.

Table 1: Sysmon event for the file creations under Public folder

The following method can be implemented in your infrastructure to identify the creation of files via the path C:UsersPublicLibraries, not only generated by RomCom-affiliated threat actors, but also used by others with malicious intent.

Table 2: Sigma rule to detect the creation of specific extensions used by RomCom in Public folder

In previous malicious campaigns by RomCom, it was observed that the utilization of the path C:UsersPublic was used to dump additional payloads during the infection. Considering this recurring pattern, we have chosen to employ the TargetFilename rule specifically for this path, excluding the Libraries subfolder. However, if this rule proves to be excessively noisy in your environment, it is advisable to include the Libraries folder in the rule. It is worth noting that if legitimate software within your environment utilizes C:UsersPublic, you can implement a filter within the rule rather than adding the Libraries folder.

Another noteworthy behavior witnessed during the recent campaign is that the RomCom threat group is using the AppDataLocalTemp directory to store the legitimate binary of the program that would be executed during the infection chain.

To validate this execution behavior, we conducted an experiment by installing the original software from the company spoofed by RomCom. However, we did not observe the same behavior.

Table 3: Sysmon event for the file creations under AppData folder

The abovementioned event holds significant interest due to the consistent file pattern creation observed in multiple executions. Another intriguing aspect is that the file is generated by an executable within the PublicLibraries folder, which is unusual behavior.

A commonly observed behavior in Windows operating systems is to generate a file or folder with the pattern “is-[a-zA-Z0-9]5.tmp”. To illustrate its prevalence, the following image is a query from VirusTotal, which identifies files conducting activities under the AppDataLocalTempis- path having zero positives in the analysis made by the various vendor engines.

Figure 1: Files showing activity with the pattern associated with RomCom and showing zero positives

However, we won’t get any results if we add the path UsersPublicLibraries to the process activity of the VirusTotal query.

Figure 2: Files showing activity associated with the pattern associated with RomCom, adding the Libraries path with zero positives

Conversely, upon removing the “p” argument from the query, we obtained four results, which include our RomCom RAT sample, as well as other malicious samples.

Figure 3: Files showing activity associated with the pattern associated with RomCom and adding the Libraries path

We believe that the pattern of the file created in AppData isn’t enough to generate a good detection specific to this intrusion. For that reason, we have included the Image field to this rule besides the regex, just to verify that the creation was made by some suspicious process.

Table 4: Sigma rule to detect the creation of .tmp file with a specific pattern used by RomCom

Furthermore, it is crucial to note that the .tmp file created is in Portable Executable (PE) format. This aspect will be explored in greater detail in the upcoming sections concerning process events.

Process Activity

In terms of process activity, we have identified two detections opportunities related to this intrusion. The use of the PublicLibraries folder plays an important role in this context as it is unusual to have a lot of legitimate software engage in the specific activities observed within this folder. Therefore, this folder’s association becomes instrumental in identifying suspicious behavior and potential indicators of compromise (IoCs).

Table 5: Sysmon event for the process creation with a parent process from PublicLibraries

The use of blank spaces in various fields, such as Company, Product, or OriginalFileName, fascinated us in this Sysmon event. In addition, by looking at the behavior itself, we can see that a file with the extension .tmp was created and stored with the ProcessCreation (Event ID 1) in the AppDataLocalTemp folder. The PE under “Public Libraries” is the parent process of all this activity.

These are the main characteristics of this behavior, and we developed the following rule to catch it.

Table 6: Sigma rule to detect the execution of a .tmp file stored in Temp from a parent PE from Public

We made this Sigma rule a bit more generic to identify other possible suspicious behaviors. If the rule is noisy, we suggest adding the Libraries path to the ParentImage|contains field and maybe the regex we saw in the file activity section to the Image|contains field of the above rule (‘is-[a-zA-Z0-9]{5}.tmp’).

The next execution is related to the file created under the AppData folder.

Table 7: Sysmon event with process execution and interesting command line

In this Sysmon event, there is an interesting command line associated with a PE file stored in the Temp folder with a .tmp extension. Notably, the command line contains the string “SL5=” which has been identified as a common pattern, along with the presence of a folder that starts with “is-“. To effectively detect this malware, it is crucial to include the value “UsersPublicLibraries” in the command line.

Table 8: Sigma rule to detect the execution of a file created in Temp with the specific command line used by RomCom RAT

The use of Rundll32.exe to load Dynamic Link Libraries (DLLs) is not a common behavior observed in RomCom campaigns, but it can be seen in the operations of various other threat actors. Within the Windows operating system, this action can be seen as normal and lawful, but there are some situations that can suggest malevolent intent.

Table 9: Sysmon event executing rundll32.exe with explorer.exe as a parent process

There is questionable behavior in the specific Sysmon event that is noteworthy. Rundll32.exe as a child process of explorer.exe is not expected. Furthermore, additional evidence of malicious activity in this event is the DLL being utilized throughout this report: UsersPublicLibraries. A publicly available Sigma rule can be used to assist in detecting such activity.

Table 10: Sigma rule to detect Rundll32 with suspicious parent process

In conclusion, a straightforward and effective rule to detect RomCom and other threats is to identify executions originating from uncommon folders.

Table 11: Sysmon event related to an execution from a suspicious folder

The execution of binaries from UsersPublicLibraries are frequently utilized by many threat actors during their operations but are not prevalent in the day-to-day operations of the Windows OS. There is a public Sigma rule to detect them.

Table 12: Sigma rule to detect execution from suspicious folders

Registry Activity

As we saw at the start of our research, the RomCom RAT deposits several DLLs in the UsersPublicLibraries directory. Using Component Object Model (COM) objects, one of those DLLs is used for system persistence.

Table 13: Sysmon event using setting a new value in the registry

The technique for COM object hijacking is used by a number of threat actors to create persistence in the system. Their goal is modifying the InprocServer32 key of the object, thus establishing a new DLL which will be loaded instead of the legitimate one.

In this case, the CLSID used is {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}, which is related to PSFactoryBuffer/. The legitimate value should be the DLL ActXPrxy.dll, stored under C:WindowsSystem32. However, during the infection chain, the DLL stored under that registry key is the one that we can see in the above Sysmon event C:UsersPublicLibrariesprxyms2922538259.dll.

Table 14: Sigma rule to detect PSFactoryBuffer COM object hijack

The rule was created to detect any value under this registry key, but filtering the legitimate DLL to avoid false positives (FPs). Indeed, during the infection, the threat actor forces the explorer.exe process to restart to load the DLL.

Image Loaded Activity

In addition to using the DLLs to create persistence in the system, these are used to be loaded into legitimate processes using process injection techniques as we have observed and mentioned in the last section.

Table 15: Sysmon event loading a malicious DLL to explorer.exe

During the execution process, both Rundll32.exe and explorer.exe have been observed to load malicious DLLs. In the above example, a DLL is loaded from the PublicLibraries path into explorer.exe. It is worth mentioning that legitimate Windows binaries typically load DLLs from the System32 directory, although there may be exceptions involving alternative paths.

To detect this behavior, there is a public Sigma rule created with that purpose.

Table 16: Public Sigma rule to detect DLLs loaded from suspicious paths

This Sigma rule can detect these DLLs loaded by rundll32.exe and explorer.exe

• C:UsersPublicLibrariesnetid2922538259.dll0 loaded by rundll32.exe
• C:UsersPublicLibrariesprxyms2922538259.dll loaded by explorer.exe

CAMPAIGN #2: “RomCom Threat Actor Suspected of Targeting Ukraine’s NATO Membership Talks at the NATO Summit”

(NOTE: A private version of this report is coded for commercial CTI customers under the UUID fbc9b702-28b5-4fdd-86a6-11542fc0d28b, while the public version of the report is available here.)

File Detection Opportunities Analysis

Detailed technical analysis is provided in our previous post mentioned above. WIn addition to this, we’d like to additionally provide the following RomCom artifacts for file detection opportunities.

Loader

The loader masquerades as a SurveyMonkey application(s) and serves as a simple downloader to connect to a malicious command-and-control (C2) and retrieve the next-stage payload.

Upon execution, this simply enumerates the victim host, such as querying the Internet and proxy settings before making an HTTP GET request to hxxp://finformservice[.]com:80/api/v1.5/<TRUNCATED>

Resolving to IP Address: 65[.]21[.]27[.]250.

Figure 4: Connection to malicious C2

The request contains the same default JSON Web Token (JWT) parameters listed here.

A next-stage payload is retrieved if a successful connection is made; however, if the request is unsuccessful, the binary terminates execution after several connection attempts.

Upon a successful connection, and should the victim be of interest to the attacker, the next stage payload is sent to the compromised node.

The payload is a .dll called “Security.dll” which is saved to a newly created directory named “C:UsersPublicAccountPicturesDefenderSecurity.dll”.

It is then given a persistence mechanism via SOFTWAREMicrosoftWindowsCurrentVersionRun, along with the creation of Windows Services under the group: C:WindowsSystem32svchost.exe -k DcomLaunch.

Figure 5: Create Windows Service

Conclusions

Based on the targets and timelines from previous reports about RomCom and the ongoing geopolitical situation with Russia’s invasion of Ukraine, the threat group RomCom pursues the goals of Ukraine’s opponents.

We learned that this threat actor continuously changes and adapts its behavior and carefully follows publicly available research on its campaigns.

We have not observed RomCom using exploits before the campaign targeting the last NATO Summit. That includes a previously unknown zero-day CVE-2023-36884. To protect from CVE-2023-36884, you need to implement additional mitigations. A patch is not included in the affected vendor’s monthly update, so please see the Mitigations section of their public advisory.

These capabilities prove that this group is a nation-state or a nation-state-affiliated threat actor following the geopolitical agenda surrounding the war in Ukraine. We have no reason to believe the threat actor will cease its operations in the immediate future.

BlackBerry has created behavioral logs and Sigma rules for the RomCom campaign targeting healthcare in the United States, and YARA rules to detect malicious tools used in their attack against the last NATO Summit. These are all available in the Appendix.

If you are looking for Sigma rules to detect the CVE-2023-36884 exploitation, please check Nextron Systems contribution here: https://github.com/SigmaHQ/sigma/pull/4346#event-9837111332

APPENDIX 1 – Referential Indicators of Compromise (IoCs)

APPENDIX 2 – Applied Countermeasures

Sigma Rules

YARA Rules

Disclaimer: The private version of this report is available upon request. It includes, but is not limited to, the complete and contextual MITRE ATT&CK® mapping, MITRE D3FEND™ countermeasures, Attack Flow by MITRE, and other threat detection content for tooling, network traffic, complete IoCs list, and system behavior. Please email us at cti@blackberry.com for more information.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.

Related Reading