BlackBerry’s Threat Research and Intelligence team recently uncovered a spear-phishing campaign aimed at organizations supporting Ukraine and attendees of the upcoming NATO Summit. The campaign involves the distribution of the RomCom RAT, with lure documents impersonating the Ukrainian World Congress to deceive victims. The attackers utilized typosquatting techniques to create a fake website resembling the legitimate organization’s site and hosted weaponized versions of popular software.
The experts at BlackBerry attributed the attacks to the RomCom threat actor based on their analysis of tactics, techniques, and procedures (TTPs), code similarities, and attack infrastructure.
By opening the lure documents, victims triggered a multi-stage attack chain that exploited a Microsoft vulnerability (CVE-2022-30190) and ultimately installed the RomCom RAT. This RAT allows the threat actors to collect information and execute remote commands on the compromised systems.
The campaign coincides with the upcoming NATO Summit, where discussions will take place regarding the potential future membership of Ukraine in the alliance. The researchers highlight the geopolitical context, domain registration patterns, HTML scraping of legitimate websites, code similarities, and network infrastructure information as factors contributing to their conclusion that this is either a RomCom rebranded operation or involves members of the RomCom threat group supporting a new threat group.
Organizations supporting Ukraine and participating in the NATO Summit should remain cautious and ensure they have robust security measures in place to defend against such targeted spear-phishing campaigns.