The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad.
The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.
RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country.
Attack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies.
The latest lure documents identified by BlackBerry impersonate Ukrainian World Congress, a legitimate non-profit, ("Overview_of_UWCs_UkraineInNATO_campaign.docx") and feature a bogus letter declaring support for Ukraine's inclusion to NATO ("Letter_NATO_Summit_Vilnius_2023_ENG(1).docx").
"Although we haven't yet uncovered the initial infection vector, the threat actor likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website," the Canadian company said in an analysis published last week.
Opening the file triggers a sophisticated execution sequence that entails retrieving intermediate payloads from a remote server, which, in turn, exploits Follina (CVE-2022-30190), a now-patched security flaw affecting Microsoft's Support Diagnostic Tool (MSDT), to achieve remote code execution.
The result is the deployment of RomCom RAT, an executable written in C++ that's designed to collect information about the compromised system and remote commandeer it.
"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine," BlackBerry said.
"Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group."