RomCom RAT Targeting NATO and Ukraine Support Groups

2023-07-10 06:42

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.

RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country.

The latest lure documents identified by BlackBerry impersonate Ukrainian World Congress, a legitimate non-profit, and feature a bogus letter declaring support for Ukraine's inclusion to NATO.docx").

Opening the file triggers a sophisticated execution sequence that entails retrieving intermediate payloads from a remote server, which, in turn, exploits Follina, a now-patched security flaw affecting Microsoft's Support Diagnostic Tool, to achieve remote code execution.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine," BlackBerry said.

"Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group.

News URL

https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html

#nato #RAT #ukraine