A risk actor known as ‘RomCom’ has been focusing on organizations supporting Ukraine and visitors of the upcoming NATO Summit set to start out tomorrow in Vilnius, Lithuania.
BlackBerry’s analysis and intelligence group not too long ago found two malicious paperwork that impersonated the Ukranian World Congress groupĀ and subjects associated to the NATO Summit to lure chosen targets.
TheĀ attackers used a duplicate of the Ukrainian World Congress web site hosted on an “.information” area as an alternative of the true one which makes use of an “.org” top-level area.
The downloaded paperwork include malicious code that exploits the RTF file format to provoke connections to exterior sources, ultimately loading malware onto the sufferer’s system.
RomCom murky background
RomCom malware was first found by Unit 42 in August 2022, who linked it to a Cuba Ransomware affiliate, an evaluation that the Laptop Emergency Response Staff of Ukraine (CERT-UA) appeared to agree with based mostly on an October 2022 report.
Nevertheless, BlackBerry’s evaluation from that point statedĀ that the risk actors behind RomCom comply with a somewhat globalized focusing on strategy, highlighting that Cuba ransomware has by no means inclined in direction of hacktivism.
In November 2022, the cybersecurity agency found a brand newĀ RomCom marketing campaign that abused software program manufacturers and used faux websites in English and Ukrainian to focus on unsuspecting victims with maliciousĀ installers.
Extra not too long ago, in Might 2023, a report from Development Micro on RomCom’s newest marketing campaign confirmed that the risk actors had been now impersonating reputable software program like Gimp and ChatGPT or creating faux software program developer websites to push their backdoor to victims by means of Google Adverts and black search engine optimization strategies.
Newest marketing campaign particulars
The newest marketing campaign that BlackBerry analyzedĀ makes use of obtain hyperlinks on a typo-squatted area for the Ukrainian World Congress website, seemingly promoted by way of spear-phishing, to contaminate guests with malware.
The paperwork downloaded from the faux web site provoke an outbound connection upon launch and obtain extra elements from the attacker’s command and management (C2) server.
The extra part noticed throughout the analysis is a script using the Follina (CVE-2022-30190) vulnerabilityĀ from Microsoft’s Help Diagnostic Device (MSDT).
“If efficiently exploited, it permits an attacker to conduct a distant code execution (RCE)-based assault by way of the crafting of a malicious .docx or .rtf doc designed to take advantage of the vulnerability,” explains the report.
“That is achieved by leveraging the specifically crafted doc to execute a weak model of MSDT, which in flip permits an attacker to go a command to the utility for execution,” the report added.
“This contains doing so with the identical stage of privileges as the one who executed the malicious doc [ā¦] and is efficient even when macros are disabled and even when a doc is opened in Protected mode.” – BlackBerry
The ultimate step of the assault is to load the RomCom backdoor on the machine, which arrives within the type of an x64 DLL file named ‘Calc.exe.’
RomCom connects to the C2 to register the sufferer and sends again particulars comparable to username, community adapter information, and RAM measurement of the compromised pc.
The backdoor ultimately writes ‘safety.dll’ to run routinely at reboot for persistence and awaits instructions from the C2, which, based mostly on earlier reporting, contains information exfiltration, downloading of extra payloads, deleting information or directories, spawning processes with spoofed PID, in addition to beginning a reverse shell.
BlackBerry believes that the anlayzed marketing campaign is both a rebranded RomCom operation or one that features core members from the outdated group that assist new risk exercise.
The researchers’ report contains indicators of compromise for the lure paperwork, second-stage malware, and IP addresses and area used for the marketing campaign.
