A Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit. The summit is taking place in Vilnius, Lithuania, and will discuss the war in Ukraine and new memberships in NATO, including Sweden and Ukraine itself.
RomCom has created malicious documents that are likely to be distributed to supporters of Ukraine. The threat actor appears to have dry-tested the delivery of these documents on June 22, a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explained.
The malicious documents are likely distributed via spear-phishing. They contain an embedded RTF file and OLE objects that initialize an infection chain that garners system information and delivers the RomCom remote access trojan (RAT).
At one stage in the infection chain, a flaw in Microsoft's Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).
BlackBerry has identified the C&C domains and victim IPs used in this campaign. All of these were accessed from a single server that has been observed connecting to known RomCom infrastructure.
"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.
BlackBerry has alerted relevant government agencies of this campaign. RomCom is also known as Void Rabisu and Tropical Scorpius, and is associated with the Cuba ransomware. The group was previously believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that they are now working for the Russian government.
Since at least October 2022, the RomCom backdoor has been used in attacks targeting Ukraine. These attacks have targeted users of Ukraine's Delta situational awareness program and organizations in Ukraine's energy and water utility sectors.
Outside Ukraine, RomCom attacks have targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendees of the Munich Security Conference and the Masters of Digital conference, and a European defense company.
