The RomCom threat group has resurfaced with a new campaign targeting attendees of a NATO Summit in Lithuania, specifically those interested in Ukraine’s potential future with the organization. Researchers at BlackBerry Threat Research and Intelligence have traced the campaign to an IP address in Hungary, attributing it to RomCom, a threat actor known for targeting pro-Ukraine organizations.
The campaign involves two malicious documents that were discovered by the researchers. One document impersonates the Ukrainian World Congress organization, while the other poses as a fake lobbying document in support of Ukraine. The goal of the campaign is to target supporters of Ukraine who are attending the NATO Summit in Vilnius, where the discussion of Ukraine’s possible membership in NATO is on the agenda.
According to BlackBerry, the attack spreads malicious code through the exploitation of the .RTF file format. This code creates a connection to a command-and-control infrastructure controlled by the threat group, delivering a payload known as the RomCom downloader. Once executed, the downloader connects to the threat group’s remote server, registering the victim’s profile. The threat group will then proceed with launching a next-stage payload if they find the victim to be of interest.
Although the researchers discovered the malicious documents on July 4, they believe that RomCom had already begun their campaign drills on June 22.
Regarding the attack vector used by RomCom, the BlackBerry team was unable to uncover the initial infection vector of the campaign. However, they speculate that the threat group likely used spear-phishing techniques to trick victims into clicking on a carefully crafted replica of the Ukrainian World Congress website. The team also discovered that the group employed typosquatting techniques to create a malicious domain that appeared legitimate. Typosquatting involves taking advantage of people’s typos and incorrect spellings of common brands, organizations, and business names in URLs.
Another malicious component of the campaign is an exploitation chain targeting a flaw in Microsoft’s Support Diagnostic Tool (MSDT) known as Follina. This flaw, officially tracked as CVE-2022-30190, had been targeted by other threat actors as well. If successful, the exploitation allows attackers to conduct remote code execution attacks by crafting malicious .DOCX or .RTF documents. These attacks can bypass security measures such as disabled macros or opening the document in “Protected” mode on a Windows machine.
RomCom, initially identified as a group tied to the Cuba ransomware, has since expanded its activities to pursue global political ambitions. The group primarily targets individuals and organizations associated with the Ukrainian government, as well as high-level supporters of Ukraine and its geopolitical affiliations. Previous campaigns by RomCom have targeted Ukrainian and pro-Ukraine targets in Eastern Europe and other parts of the world.
To address the threat posed by RomCom and other advanced persistent threats (APTs), the researchers recommend using security solutions equipped with behavior-monitoring capabilities. These solutions can detect malicious files, scripts, and messages, as well as block malicious URLs. Additionally, adding a security layer that inspects emails for malicious attachments and URLs can help individuals and organizations avoid compromise. It is also important for individuals to exercise caution when encountering unsolicited messages related to Ukraine and to thoroughly inspect materials and URLs before clicking on any links or files.