Suspected threat actors linked to the RomCom Remote Access Trojan (RAT) are believed to be carrying out phishing attacks targeting the upcoming NATO Summit in Vilnius and an organization supporting Ukraine abroad, according to the BlackBerry Threat Research and Intelligence team. The team identified two malicious documents originating from a Hungarian IP address on July 4, 2023.
The RomCom RAT, also known as Tropical Scorpius, UNC2596, and Void Rabisu, has recently been observed conducting cyber attacks against Ukrainian politicians collaborating with Western countries, as well as a US-based healthcare organization involved in assisting refugees from Ukraine.
The attack campaigns orchestrated by this group have geopolitical motivations and utilize spear-phishing emails to direct victims to cloned websites hosting trojanized versions of popular software. The targets include military entities, food supply chains, and IT companies.
The latest lure documents discovered by BlackBerry impersonate the Ukrainian World Congress, a legitimate non-profit organization.
While the initial infection vector is yet to be determined, it is believed that the threat actors employed spear-phishing techniques, leading victims to click on a carefully crafted replica of the Ukrainian World Congress website.
Once the file is opened, an intricate execution sequence is triggered. This involves retrieving intermediate payloads from a remote server, which then exploits a now-patched vulnerability known as Follina (CVE-2022-30190) in Microsoft's Support Diagnostic Tool (MSDT) to achieve remote code execution.
As a result, the RomCom RAT is deployed. This executable, written in C++, is designed to gather information about the compromised system and enable remote takeover.
BlackBerry stated, "Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine." The company also noted that the operation appears to be a rebranded RomCom campaign or that members of the RomCom threat group are involved in supporting this new threat campaign. Max Gannon, Senior Cyber Threat Intelligence Analyst, Cofense shared his perspective on the findings and the wider threat of cloned malicious websites and typosquatting:
"Although the analysts were unable to uncover the actual spear-phishing emails encouraging victims to visit the malicious website, they are likely correct that spear-phishing was used to deliver links to the malicious website. It is unlikely that the threat actors were planning to use Google search results to promote the malicious website as Google detected suspicious activity and warns that the site may harm your computer.
The use of cloned malicious websites and typosquatting is nothing new, we have previously reported on a targeted campaign using cloned pages of the United States Department of Labor for phishing.
What sets this campaign apart is the timely nature of the attacks and the apparent targeting which is something seen in threat actors with a political agenda rather than threat actors simply looking to compromise anyone that they can.
There are many solutions to prevent spear-phishing attacks and prevent access to unauthorized websites however in the end it all comes down to people being able to recognize something as being malicious. In this case, the .info TLD is a giveaway but the method of obtaining the URL is likely suspicious as well. We can't comment further on that side of things without having access to the spear-phishing emails themselves."