Also known as: Win64:MalwareX-gen [Trj], Trojan.GenericKD.61083265, Trojan.Win64.Agentb.ktrn, Trojan:Win64/CobaltStrike!MTB
Category: Malware
Type: Remote access trojan (RAT)
Platforms affected: Windows
Variants: PEAPOD
Damage potential: Account takeover, identity theft, data theft (including passwords and banking information), keylogging, secret recording, taking screenshots, adding the device to a botnet
Overview
RomCom RAT is a remote access trojan that rose to prominence in 2022 after targeting the institutions of the Ukrainian military and its allies following the Russian invasion. While the threat actor behind RomCom RAT has not been confirmed yet, the malware’s pattern of activity suggests that the perpetrators may be operating at the behest of some nation state. The primary goal of RomCom RAT is to steal data and spy on the victim, potentially adding the infected device to a botnet to carry out further attacks.
Possible symptoms
Like any malware designed for stealing data and spying, RomCom RAT uses stealth to operate beneath notice for as long as possible. As such, the victim is unlikely to notice any obvious alterations to their files or outward signs of infection.
Potential indicators of a RomCom RAT infection include:
- Your device frequently freezes or stutters.
- Your device’s fan seems to be constantly on, even when the device is idle.
- Other malware appears on your device without a known cause.
- Your device periodically sends data to unknown remote servers (RomCom RAT is uploading device information to its handlers).
Sources of the infection
RomCom RAT is typically hidden in legitimate software to evade detection. This software is hosted on spoofed websites — convincing copies of real websites from such companies as SolarWinds, KeePass, PDF Technologies, and Veeam. RomCom RAT operators use spear phishing emails (crafted to mimic the style of official communications as closely as possible) to deliver the download link to the victim.
Your device may also get infected with RomCom RAT malware from:
- ZIP archives that are disguised as PDF documents (for example, invoices) attached to phishing emails.
- Infected software “cracks” (programs designed to bypass legitimate copy protection measures).
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Peer-to-peer (P2P) sharing of infected files.
- Infected external devices, such as hard drives or USB sticks.
Protection
To protect yourself against RomCom RAT, you need to form good cybersecurity habits. Because RomCom RAT typically targets institutions working with the military, critical infrastructure, or the government, their employees must be exceptionally vigilant about spear phishing attempts. Never download software through email links without first confirming it in person with your IT department, and always scan items you download for potential malware.
You can also take these other protective measures:
- Use email scanning tools to identify and automatically block messages with suspicious attachments.
- Use content disarm and reconstruction (CDR) tools. CDR tools can disassemble infected documents, remove the malicious code, glue the file back together, and send the clean version to the intended recipient.
- Avoid potentially dangerous websites, like dark web pages or torrent repositories. These websites may attempt to install malware (including RomCom RAT) on your device as soon as you open them.
- Avoid potentially dangerous websites like dark web pages or torrent repositories. In certain situations, these websites may attempt to download malware (including IcedID) to your device by exploiting vulnerabilities.
- Always check the legitimacy of the site before downloading anything. RomCom RAT operators often spoof legitimate websites to host infected files, so look for any sign of fraud (including the lack of HTTPS or web certificates).
- Use NordVPN’s Threat Protection Pro™ to scan programs and files for malware while they’re being downloaded. Along with the malware blocker, the feature also includes tools such as scam and fraud alert, which warns you when entering a known infected website, preventing drive-by download attacks.
Removal
After discovering a RomCom RAT infection, you can remove the malware using antivirus software. Manual removal is not recommended because the trojan may have implemented measures to regenerate itself after you reboot your device.