These findings come from the BlackBerry Threat Research and Intelligence team, who found two malicious documents submitted from Hungarian IP addresses on July 4, 2023.
The romcom, which has also been tracked under the names Tropical Scorpius, UNC2596, and Voyd Rabisu, was recently seen in Ukraine conducting cyberattacks against politicians who were involved in a program helping Westerners and refugees fleeing the war-torn country, Working closely with the US-based healthcare organization.
The attack chains set up by the group are geopolitically motivated and have used spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include armies, food supply chains and IT companies.
The latest fake document identified by BlackBerry impersonates the Ukrainian World Congress, a legitimate non-profit organization, (“Overview_of_UWCs_UkraineInNATO_campaign.docx”) and presents a fake letter declaring support for Ukraine’s inclusion in NATO ( “Letter_NATO_Summit_Vilnius_2023_ENG(1).docx”).
The Canadian company said in an analysis published, “While we have not yet uncovered the initial infection vector, the threat actors likely rely on spear-phishing techniques, luring their victims to specially prepared URLs of the Ukrainian World Congress website.” prompts you to click on the replication done.” Last week.
Opening the file triggers a sophisticated execution sequence that involves retrieving an intermediate payload from a remote server which, in turn, exploits Folina (CVE-2022-30190), a now-patched, there is a security flaw that affects Microsoft’s Support Diagnostic Tool (MSDT), remote code execution.
The result is the deployment of the RomCom RAT, an executable written in C++ designed to collect information about compromised systems and command it remotely.
“Based on the nature of the upcoming NATO summit and the related lure documents sent by the threat actor, the targeted victims are representatives of Ukraine, foreign organizations and individuals supporting Ukraine,” BlackBerry said.
“Based on the information available, we have medium to high confidence to conclude that this is a Romcom rebranded operation, or that one or more members of the Romcom threat group are behind this new campaign supporting a new threat group.”
