The RomCom RAT is suspected of launching phishing attacks targeting the forthcoming NATO Summit in Vilnius and a group assisting Ukraine. This information was revealed by the BlackBerry Threat Research and Intelligence team, who detected two harmful documents submitted from a Hungarian IP address on July 4, 2023.
RomCom, also known as Tropical Scorpius, UNC2596, and Void Rabisu, has been recently seen initiating cyber attacks against Ukrainian politicians closely aligned with Western countries and a U.S.-based healthcare organization that helps refugees fleeing the conflict-ridden country. These attack chains are believed to be motivated by geopolitical factors, utilizing spear-phishing emails to lead victims to cloned websites that host malicious versions of commonly used software. The targets of these attacks range from military organizations to food supply chains and IT firms.
The latest deceptive documents detected by BlackBerry pose as the Ukrainian World Congress, a legitimate non-profit organization. They include a fake letter expressing support for Ukraine's inclusion in NATO. "Although we haven't yet uncovered the initial infection vector, the threat actor likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website," the Canadian company stated in an analysis published recently.
Opening the malicious file initiates a complex execution process that retrieves intermediate payloads from a remote server. This process exploits Follina (CVE-2022-30190), a security vulnerability in Microsoft's Support Diagnostic Tool (MSDT) that has since been patched, to enable remote code execution. The end result is the deployment of the RomCom RAT, a C++ executable designed to gather information about the compromised system and remotely control it.
"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine," BlackBerry stated. "Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group."