Romcom RAT targeting NATO and Ukraine Support groups

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad.

by Vikash Kumawat
0 comment 106 views

These findings come from the BlackBerry Threat Research and Intelligence team, who found two malicious documents submitted from Hungarian IP addresses on July 4, 2023.

The romcom, which has also been tracked under the names Tropical Scorpius, UNC2596, and Voyd Rabisu, was recently seen in Ukraine conducting cyberattacks against politicians who were involved in a program helping Westerners and refugees fleeing the war-torn country, Working closely with the US-based healthcare organization.

The attack chains set up by the group are geopolitically motivated and have used spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include armies, food supply chains and IT companies.

The latest fake document identified by BlackBerry impersonates the Ukrainian World Congress, a legitimate non-profit organization, (“Overview_of_UWCs_UkraineInNATO_campaign.docx”) and presents a fake letter declaring support for Ukraine’s inclusion in NATO ( “Letter_NATO_Summit_Vilnius_2023_ENG(1).docx”).

The Canadian company said in an analysis published, “While we have not yet uncovered the initial infection vector, the threat actors likely rely on spear-phishing techniques, luring their victims to specially prepared URLs of the Ukrainian World Congress website.” prompts you to click on the replication done.” Last week.

Opening the file triggers a sophisticated execution sequence that involves retrieving an intermediate payload from a remote server which, in turn, exploits Folina (CVE-2022-30190), a now-patched, there is a security flaw that affects Microsoft’s Support Diagnostic Tool (MSDT), remote code execution.

The result is the deployment of the RomCom RAT, an executable written in C++ designed to collect information about compromised systems and command it remotely.

“Based on the nature of the upcoming NATO summit and the related lure documents sent by the threat actor, the targeted victims are representatives of Ukraine, foreign organizations and individuals supporting Ukraine,” BlackBerry said.

“Based on the information available, we have medium to high confidence to conclude that this is a Romcom rebranded operation, or that one or more members of the Romcom threat group are behind this new campaign supporting a new threat group.”

You may also like

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Update Required Flash plugin