The upcoming NATO summit is scheduled to be held in Vilnius, Lithuania from July 11th to 12th 2023.
The BlackBerry Threat Research and Intelligence team has discovered a new campaign in which the threat actor targets Ukraine and NATO supporters with the RomCom RAT (remote access trojan).
According to their analysis of the threat actor’s TTPs (tactics, techniques, and procedures), network infrastructure, and code similarity, the threat actor RomCom is behind the campaign. Therefore, the malware is named RomCom RAT.
For your information, the RomCom RAT is also tracked as Tropical Scorpius, Void Rabisu, and UNC2596. It is written in C and was recently spotted in cyberattacks launched against Ukrainian politicians working closely with Western nations and a healthcare organization in the USA that aids refugees who have fled Ukraine.
This campaign was launched just before the upcoming NATO summit, which is scheduled to be held in Vilnius, Lithuania on July 11-12 2023. Researchers noted that threat actors targeted the summit and an international organization supporting Ukraine with phishing attacks.
According to blog post published by BlackBerry, its cybersecurity team detected two malicious documents submitted on July 4, 2023, via a Hungary-based IP address titled:
- Letter_NATO_Summit_Vilnius_2023_ENG(1).docx
- Overview_of_UWCs_UkraineInNATO_campaign.docx
These documents are sent to the organization and pro-Ukraine guests invited to the NATO summit as a lure. This indicates that the threat actor is using fake documents pretending to attempt to lobby for Ukraine’s NATO accession and the probability of Ukraine becoming a member of the organization in the future.
BlackBerry researchers suspect that threat actors are trying to benefit from this event by creating and distributing a malicious document impersonating the Ukrainian World Congress website to target supporters of Ukraine.
These documents lure the recipient into clicking on a link, which redirects them to another fake website domain. The attackers use typosquatting to mimic ukrainianworldcongress(.) org, but with one change: instead of .org, they use .info at the end. This change is made to make the spear-phishing campaign successful.
If the victim clicks on the link, their device becomes infected by RomCom RAT, and the attackers can obtain sensitive system data such as IP address, username, and even location.
The malicious document essentially triggers a well-designed execution sequence. This sequence starts with contacting a remote server to retrieve intermediate payloads. After that, the attackers exploit the now-patched security flaw Follina (tracked as CVE-2022-30190), which impacts the Microsoft Support Diagnostic Tool. This exploitation allows them to acquire remote code execution.
“If successfully exploited, it allows an attacker to conduct a remote code execution-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability. That technique is effective even when macros are disabled, and a document is opened in Protected mode.”
The BlackBerry Research & Intelligence Team
Further probing of the internal telemetry, cyber weapons, and network data analysis led to the assumption that the campaign became active on 22 June. The attacker’s C2 server was registered and went live just a few days before.
Researchers haven’t yet determined the initial infection vector. However, they are sure that this is a geopolitically motivated campaign, and its prime targets include militaries, IT firms, and food supply chains.