HQ/EMEAFind out how we can help your business
A newly discovered campaign has executed phishing attacks that target the upcoming NATO summit and Ukrainian organisations to deploy the RomCom RAT. The discovery emerged after researchers found a couple of malicious documents submitted from an IP address in Hungary earlier this month.
Researchers noted that the RomCom group also operates under names such as Void Rabisu, UNC2596, and Tropical Scorpius. The group have recently deployed cyberattacks against Ukrainian politicians that are closely working with Western countries and healthcare organisations that aid the refugees that leave the affected country.
This threat group’s attack chain is always geopolitically motivated and has adopted spear-phishing emails to point victims to cloned websites hosting trojanised versions of well-known software products. Moreover, some of their targets include IT companies, food supply chains, and military entities.
The RomCom RAT operators mimic a government entity to initiate their attacks.
According to an investigation, the RomCom RAT operators impersonated the Ukrainian World Congress and featured a fake letter that declared support for Ukraine’s NATO membership.
Researchers explained that the threat actors have likely employed spear-phishing techniques to lure their victims into clicking on a specially crafted replica of the Ukrainian World Congress website. However, they have yet to confirm the initial attack vector of the group.
Once a target opens the file, a sophisticated execution sequence will operate to retrieve intermediate payloads from a remote server. This method will allow the attackers to exploit the Follina payload to achieve remote code execution.
Once the actors successfully exploit the vulnerability, they can deploy the RomCom RAT. The remote access trojan is an executable coded in C++ that could harvest information about the infected system and remotely control it.
Furthermore, the researchers noted that the attackers likely target Ukrainian representatives, foreign organisations, and other supporters since the nature of the upcoming NATO Summit could focus on the geopolitical topic favouring Ukraine.
Lastly, experts are optimistic that these attacks came from the RomCom rebrand or a RomCom member who wants to prevent Ukraine’s plans to join NATO. Organisations should apply the Follina fix, as the threat actors might have targeted vulnerable systems.
