Report: RomCom Threat Group Targets NATO Summit Attendees with New Campaign
Overview
The RomCom threat group, known for targeting pro-Ukraine organizations, has launched a new campaign aimed at attendees of a NATO Summit in Lithuania. Researchers at BlackBerry Threat Research and Intelligence discovered two malicious documents that were attributed to RomCom. One document impersonates the Ukrainian World Congress organization, while the other is a fake lobbying document in support of Ukraine. The campaign specifically targets supporters of Ukraine who are attending the NATO Summit, where Ukraine’s potential membership in NATO is being discussed. The attack spreads malicious code that exploits the .RTF file format to create a connection to the threat group’s command-and-control infrastructure.
Attack Vector and Follina Exploitation
The initial infection vector of the campaign has not been uncovered, but it is likely that RomCom lured victims through spear-phishing. The BlackBerry team uncovered a specially crafted replica of the Ukrainian World Congress website, which was used to engage victims. The malicious domain for the site utilizes typosquatting techniques, disguising itself as a legitimate website with a .info suffix. Typosquatting involves taking advantage of people’s typos and incorrect spellings of common brands, organizations, and business names in URLs.
Another component of the campaign involves exploiting a flaw in Microsoft’s Support Diagnostic Tool (MSDT) known as Follina. This flaw was a zero-day when it was discovered in May 2022 but was patched the following month. If Follina exploitation is successful, attackers can conduct a remote code execution (RCE)-based attack by crafting a malicious .DOCX or .RTF document. This technique works even when macros are disabled or a document is opened in “Protected” mode on a Windows machine.
RomCom‘s Background and Targeting
Initially identified as a group tied to the Cuba ransomware, RomCom has since moved on to have global political ambitions. The group primarily targets individuals and organizations connected to the Ukrainian government, as well as high-level supporters of Ukraine and its geopolitical affiliations. Previous campaigns by RomCom have targeted Ukrainian and pro-Ukraine targets in Eastern Europe and other parts of the world.
Recommendations
Researchers at BlackBerry recommend that potential targets defend themselves from RomCom and other advanced persistent threats (APTs) by employing security solutions equipped with behavior-monitoring capabilities. These solutions can detect malicious files, scripts, and messages and block related malicious URLs. Additionally, adding a security layer that inspects emails for malicious attachments and URLs can help individuals and organizations avoid compromise.
Given that RomCom utilizes social engineering and high-level impersonation of trusted entities, individuals should be cautious of unsolicited messages on topics related to Ukraine. It is advisable to carefully inspect related materials and URLs before clicking on any links or files.
Sources:
<< photo by Devin Kaselnak >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- 3 Key Insights from Candid Conversations with Fortune 100 CISOs
- Defending Our Foundations: Forging a Unified Front Against Cyberattacks on Critical Infrastructure
- Healthcare in Crisis: The Staggering Data Breach that Exposes Millions of Patients
- Intriguing Connections: Unveiling the RomCom RAT’s Covert Agenda
- The Implications of Microsoft’s $20M Settlement for Illegally Collecting Children’s Data
- Is the AI Hype Over? Exploring the Possibility of a Dead End in AI Development.
- The New Face of Cyber Espionage: Iranian Hackers Launch Advanced macOS Malware Against US Think Tank
- Beware: Job Scams Lurk, Targeting Job Seekers
- Exploring the Threat Landscape: The Exploits of Chinese UNC4841 Group in Barracuda Email Security Gateway
- Russian RomCom Cyberattack: Romance Meets Espionage at NATO Summit
