The RomCom threat group is back once again with a new campaign targeting attendees of a NATO Summit in Lithuania, where Ukrainian President Volodymyr Zelensky is expected to participate regarding Ukraine’s potential future with the organization.
Researchers at BlackBerry Threat Research and Intelligence discovered two malicious documents submitted from an IP address in Hungary that they’ve attributed to RomCom, a threat actor known for targeting pro-Ukraine organizations.
One of the documents impersonates the Ukrainian World Congress organization, and the other is a “fake lobbying document [claiming to be] in support of Ukraine,” researchers revealed in a recent blog post.
The campaign appears to be aimed at supporters of Ukraine who are attending the NATO Summit in Vilnius today and tomorrow, where the nation’s possible membership in NATO is one of the topics on the agenda, the researchers said.
“Based on the nature of the … NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” the BlackBerry Research and Intelligence Team wrote in the report.
The attack spreads malicious code that exploits the .RTF file format tp create a connection to command-and-control (C2) infrastructure controlled by the threat group. That delivers a payload, the RomCom downloader, which executes a backdoor and connects to the threat group’s remote server to register the victim’s profile. The actor will then launch a next-stage payload if the group thinks the victim is worth the interest and effort, as well as collect info about the victim’s system, according to BlackBerry.
While the researchers discovered the malicious documents on July 4, they believe that RomCom already ran their first drills for the campaign on June 22.
RomCom’s Attack Vector & Follina
The BlackBerry team did not uncover the initial infection vector of the campaign; however, RomCom likely used spear-fishing to engage victims to click on a specially crafted replica of the Ukrainian World Congress website that the team uncovered, they said.
The malicious domain for the site uses typosquatting techniques — a tactic that RomCom has used before — to masquerade as the website, with a .info suffix and make it look legitimate. Typosquatting is a way that threat actors take advantage of people’s typos and incorrect spellings of common brands, organizations, and business names in URLs.
Another of the malicious components of the campaign is an execution chain for exploiting a flaw in Microsoft’s Support Diagnostic Tool (MSDT) known as Follina, officially tracked as CVE-2022-30190. Numerous threat actors already have targeted the flaw, which was a zero-day when it was discovered in May 2022 but was patched the following month.
If Follina exploitation is successful, attackers can conduct a remote code execution (RCE)-based attack by crafting a malicious .DOCX or .RTF document — a technique that works even when macros are disabled, or a document is opened in “Protected” mode on a Windows machine.
“This is achieved by leveraging the specially crafted document to execute a vulnerable version of MSDT, which in turn allows an attacker to pass a command to the utility for execution,” the team wrote. “This includes doing so with the same level of privileges as the person who executed the malicious document.”
RomCom: From Ransomware to APT
Researchers at Palo Alto Networks’ Unit42 team first identified RomCom as a group tied to the Cuba ransomware, but its activities soon moved on from there to have global political ambitions. The group’s primary focus has been to target individuals and organizations tied to the Ukrainian government, as well as high-level supporters of that country and its geopolitical affiliations.
RomCom was last clocked by researchers at Trend Micro in campaigns against various Ukrainian and pro-Ukraine targets in Eastern Europe and other parts of the world.
BlackBerry included various indicators of compromise (IoC) for the latest RomCom campaign in its report, to help potential victims know if their systems have been targeted.
Overall, the researchers recommended that targets defend themselves from RomCom and other advanced persistent threats (APTs) with security solutions that are armed with behavior-monitoring capabilities that enable them to detect malicious files, scripts, and messages. These types of solutions also can also block all related malicious URLs. Adding a security layer that inspects emails for malicious attachments and URLs also can help organizations and individuals avoid compromise, they noted.
Moreover, since RomCom uses social engineering and high-level impersonation of trusted entities as part of its tactics, people should be suspicious of unsolicited messages on topics regarding Ukraine and carefully inspect related materials and URLs before clicking on any links or files, security experts said.