As part of a recently identified cyber operation, the cybersecurity investigators report that a Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit taking place July 11-12. The event takes place in Vilnius, Lithuania. The NATO Summit has on the agenda talks focusing on the war in Ukraine and new memberships in the organization, including Sweden and Ukraine.
RomCom attackers are spoofing trusted software solutions to gain network access. RomCom may be related to the Cuba ransomware and Industry Spy attacks since all three use a similar network configuration link. However, this could also be a distraction for RomCom criminals. Once installed, the RAT can collect information, capture screenshots, and export them to an offsite server.[1]
Taking advantage of the event, RomCom has created malicious documents likely to be distributed to supporters of Ukraine. It appears to have dry-tested its delivery on 22 June 2023 and a few days before the Command-and-Control (C&C) domain used in the campaign went live. The threat actor likely relied on spear-phishing to distribute one of the malicious documents, relying on an embedded RTF file and OLE objects to initialize an infection chain to harvest system information and deliver the RomCom remote access trojan (RAT).
At one stage in the infection chain, a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina, is exploited for remote code execution (RCE).
According to researchers, the C&C domains and victim IPs identified during this campaign were all accessed from a single server, which has been observed connecting to known RomCom infrastructure. Based on the observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other collected artifacts, BlackBerry is confident that the RomCom threat actor or members of RomCom is behind the cyber operation.
The nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.
Also tracked as Void Rabisu and Tropical Scorpius and associated with the Cuba ransomware, RomCom was believed to be financially motivated. However, recent campaigns have shown a shift in tactics and motivation, suggesting that the group is likely working for the Russian government.
Since at least October 2022, the threat actor’s RomCom backdoor has been used in attacks targeting Ukraine, including users of Ukraine’s Delta situational awareness program and organizations in Ukraine’s energy and water utility sectors.
Outside Ukraine, RomCom attacks targeted a provincial, local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.securityweek.com/russia-linked-romcom-hackers-targeting-nato-summit-guests/
Comments