Cyber Security Threat Summary:
“The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023. RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country. Attack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies” (The Hacker News, 2023).

Although the initial infection vector is unknown, BlackBerry uncovered lure documents impersonating the Ukrainian World Congress. Upon opening these documents, an execution sequence is triggered which in turn retrieves intermediate payloads from a remote server designed to exploit Follina (CVE-2022-30190), a now-patched security flaw affecting Microsoft's Support Diagnostic Tool (MSDT), to achieve remote code execution.

Security Officer Comments:
The end goal of the latest campaign is to deploy RomCom, which is a remote access trojan written in the C+ programming language. For its part, RomCom is designed to give its operators remote access to the victim’s system. It also comes with several features enabling the threat actors to capture screenshots and information, which is further exfiltrated to a remote server. According to BlackBerry, based on the related lure documents identified and the upcoming NATO summit, the actors are likely targeting representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.

Suggested Correction(s):
Organizations should ensure that their systems are regularly updated whenever patches are released as threat actors will typically exploit known vulnerabilities like Follina. It’s also important to train employees and staff on how to detect and avoid phishing emails as this is a common infection vector.

Link(s):
https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html