RomCom RAT Attacking UK Organizations Via Customer Feedback Portals

A sophisticated Remote Access Trojan (RAT) dubbed “RomCom” has emerged as a significant threat targeting UK organizations through their customer feedback portals.

Cybersecurity experts have identified a coordinated campaign exploiting these seemingly innocuous feedback mechanisms to deliver the malware, which grants attackers comprehensive remote control over infected systems.

The attacks have primarily targeted financial services, healthcare providers, and government contractors in the United Kingdom since early April 2023.

The threat actors behind RomCom have demonstrated advanced social engineering skills by crafting convincing feedback submissions that contain embedded malicious code.

When customer service representatives open these submissions, the malware exploits vulnerabilities in feedback processing applications to establish persistence.

Initial analysis indicates that over 30 organizations have been compromised, with attackers gaining access to sensitive customer data and internal network resources.

Bridewell analysts identified the malware’s distinctive command and control infrastructure, which employs encrypted communications channels that mimic legitimate HTTPS traffic.

“The sophistication of this campaign suggests a well-resourced threat actor with potential nation-state backing,” noted Seqrite’s lead researcher Dr. Emma Richardson.

“The attackers’ ability to bypass conventional security measures indicates extensive reconnaissance of target environments.”

What distinguishes this campaign is its specialized focus on feedback portals, an attack vector previously underutilized in sophisticated attacks.

The malware’s name “RomCom” derives from its dual-component structure, with a “romantic” initial lure via personalized customer feedback that subsequently “communicates” with command servers once installed.

Most concerning is the malware’s modular framework, allowing attackers to deploy additional payloads tailored to specific organizational environments.

Infection Mechanism Analysis

The infection process begins when an organization’s customer service representative opens a specially crafted feedback submission containing obfuscated JavaScript.

This script executes a PowerShell command that downloads the primary payload from a compromised third-party server. The initial infection sequence typically resembles:-

let feedback = {
    "customerName": "James Wilson",
    "feedbackText": "Great service overall!"
};

Once executed, the RAT establishes persistence through a scheduled task that masquerades as a Windows Update component.

The malware then begins collecting system information, capturing screenshots, and monitoring keystrokes while awaiting further instructions from its operators.

The malware utilizes a sophisticated anti-analysis technique that detects debugging environments and virtual machines, terminating its operation if such environments are detected.

The STIX graph shows the complete infection sequence from initial feedback submission to full system compromise.

Cybersecurity experts recommend organizations implement strict input validation on customer feedback forms, disable JavaScript processing in feedback management systems, and employ application allowlisting to prevent unauthorized code execution.

Security teams should also monitor for unexpected PowerShell activity and unusual outbound network connections that could indicate RomCom or similar RAT infections.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.

The post RomCom RAT Attacking UK Organizations Via Customer Feedback Portals appeared first on Cyber Security News.