The BlackBerry Threat Research and Intelligence team recently discovered two malicious documents originating from an IP address in Hungary which were designed to target an organization supporting Ukraine abroad and individuals expected to attend the upcoming NATO Summit, potentially offering assistance to Ukraine.
After conducting an analysis of the tactics, techniques, and procedures (TTPs), code similarities, and the infrastructures used by the threat actors, the BlackBerry Threat Research and Intelligence team concluded that it is the work of the RomCom threat actor group.
Also known as the Tropical Scorpius, UNC2596, and Void Rabisu, the RomCom group has recently been observed carrying out cyber attacks against Ukrainian politicians collaborating with Western nations and US-based healthcare organisations assisting refugees affected by the conflict in Ukraine.
These attacks are geopolitically motivated, primarily spearphishing emails that lead victims to cloned websites hosting trojanised versions of popular software. Targets have included military institutions, food supply chains, and IT companies.
BlackBerry’s analysis of the latest phishing attempt revealed that the fraudulent documents impersonated the Ukrainian World Congress, a legitimate non-profit organisation. One document titled ‘Overview_of_UWCs_UkraineInNATO_campaign.docx’ and a second document, ‘Letter_NATO_Summit_Vilnius_2023_ENG(1).docx’, falsely declared support for Ukranin’s inclusion in NATO.
While the initial infection vector has yet to be determined, BlackBerry suggested that the threat actors likely employed spearphishing techniques by enticing victims to click on a meticulously crafted replica of the Ukranian World Congress website.
Upon opening the file, a sophisticated execution sequence is triggered, retrieving intermediate payloads from a remote server. Exploiting the now-patched Follina vulnerability (CVE-2022-30190) in Microsoft’s Support Diagnostic Tool, the threat actors achieved remote code execution. Consequently, the RomCom RAT, a C++ executable designed to gather information about the compromised system and allow remote control, was deployed.
BlackBerry notes that the nature of the upcoming NATO Summit and the lure documents distributed by the threat actors indicate that their intended victims are representatives of Ukraine, foreign organisations, and individuals supporting Ukraine. They also suggest a medium to high confidence level that this campaign is either a rebranded operation by the RomCom group or that one or more members of the RomCom threat group are involved with this new campaign supporting a different threat group.
Authorities and organisations involved in the NATO Summit and those supporting Ukraine have been urged to exercise heightened vigilance, bolster their cybersecurity measures, and remain cautious of suspicious emails or documents to mitigate the risks associated with this targeted phishing campaign.
In the News: Google patches three actively exploited Android vulnerabilities
