RomCom hackers target NATO Summit attendees in phishing attacks

A threat actor referred to as ‘RomCom’ has been targeting organizations supporting Ukraine and guests of the upcoming NATO Summit set to start tomorrow in Vilnius, Lithuania.

BlackBerry’s research and intelligence team recently discovered two malicious documents that impersonated the Ukranian World Congress organization and topics related to the NATO Summit to lure selected targets.

The attackers used a replica of the Ukrainian World Congress website hosted on an “.info” domain instead of the real one that uses an “.org” top-level domain.

Comparison between fake and real sites
Comparison between fake and real sites (BlackBerry)

The downloaded documents come with malicious code that exploits the RTF file format to initiate connections to external resources, eventually loading malware onto the victim’s system.

RomCom murky background

RomCom malware was first discovered by Unit 42 in August 2022, who linked it to a Cuba Ransomware affiliate, an assessment that the Computer Emergency Response Team of Ukraine (CERT-UA) appeared to agree with based on an October 2022 report.

However, BlackBerry’s analysis from that time said that the threat actors behind RomCom follow a rather globalized targeting approach, highlighting that Cuba ransomware has never inclined towards hacktivism.

In November 2022, the cybersecurity firm discovered a new RomCom campaign that abused software brands and used fake sites in English and Ukrainian to target unsuspecting victims with malicious installers.

More recently, in May 2023, a report from Trend Micro on RomCom’s latest campaign showed that the threat actors were now impersonating legitimate software like Gimp and ChatGPT or creating fake software developer sites to push their backdoor to victims through Google Ads and black SEO techniques.

Latest campaign details

The latest campaign that BlackBerry analyzed  uses download links on a typo-squatted domain for the Ukrainian World Congress site, likely promoted via spear-phishing, to infect visitors with malware.

The documents downloaded from the fake website initiate an outbound connection upon launch and download additional components from the attacker’s command and control (C2) server.

C2 connections made after opening the document
C2 connections made after opening the document (BlackBerry)

The additional component observed during the research is a script utilizing the Follina (CVE-2022-30190) vulnerability from Microsoft’s Support Diagnostic Tool (MSDT).

“If successfully exploited, it allows an attacker to conduct a remote code execution (RCE)-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability,” explains the report.

“This is achieved by leveraging the specially crafted document to execute a vulnerable version of MSDT, which in turn allows an attacker to pass a command to the utility for execution,” the report added.

“This includes doing so with the same level of privileges as the person who executed the malicious document […] and is effective even when macros are disabled and even when a document is opened in Protected mode.” – BlackBerry

The final step of the attack is to load the RomCom backdoor on the machine, which arrives in the form of an x64 DLL file named ‘Calc.exe.’

RomCom connects to the C2 to register the victim and sends back details such as username, network adapter info, and RAM size of the compromised computer.

The backdoor eventually writes ‘security.dll’ to run automatically at reboot for persistence and awaits commands from the C2, which, based on previous reporting, includes data exfiltration, downloading of additional payloads, deleting files or directories, spawning processes with spoofed PID, as well as starting a reverse shell.

BlackBerry believes that the anlayzed campaign is either a rebranded RomCom operation or one that includes core members from the old group that support new threat activity.

The researchers’ report includes indicators of compromise for the lure documents, second-stage malware, and IP addresses and domain used for the campaign.

Source: www.bleepingcomputer.com