Blackberry’s research team claims to have uncovered a threat actor targeting Ukraine supporters with malware ahead of the NATO summit in Vilnius on July 11-12th.
Dubbed RomCom by the Blackberry Research and Intelligence Team, the suspected threat group is believed by it to be using fake documents that pretend to lobby for Ukraine’s accession to NATO — expected to be a key topic of discussion at the long-awaited assembly of Western powers in the Lithuanian capital.
“One of the topics on the agenda is Ukraine and its possible future membership in the organization,” said the Blackberry team. “Taking advantage of this event and the request of Ukraine to join NATO, threat actors have created and distributed a malicious document impersonating the Ukrainian World Congress organization to presumably distribute to supporters of Ukraine.”
The bogus documents are intended to persuade targets to click on a link to another fake, this time a website domain that mimics ukrainianworldcongress.org by appending “.info” at the end instead of “.org”.
This is a common tactic used in spear-phishing campaigns — social engineering ploys aimed at specific targets — and is known as “typosquatting,” making minor amendments to trusted and legitimate URLs to lull a victim into a false sense of security.
Those who click on the link will have their device subjected to a cyberattack that deploys malware, a malicious program that allows the attackers to obtain an infected computer’s details such as username and internet protocol (IP) address, essentially identifying it and pinpointing its location.
The attack chain deploys the Microsoft zero-day vulnerability CVE-2022-30190, also known as Follina, which was discovered in May last year.
“If successfully exploited, it allows an attacker to conduct a remote code execution-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability,” added Blackberry. “That technique is effective even when macros are disabled and a document is opened in Protected mode.”
Blackberry says this attack vector has been one of the most heavily exploited malicious programs of its kind in the past year.
The cybersecurity team has had RomCom in its sights for some time now, having issued another briefing last month about its suspected activities aimed at Ukraine and its supporters. It adds that coding similarities between the NATO-themed campaign and previous ones leads it to conclude that the same threat group is responsible.
In this instance, Blackberry believes that not only Ukrainian politicians have been targeted, but also foreign entities and individuals who support the country in its war of resistance against Russia, which invaded its smaller neighbor in February 2022.
Blackberry says it arrived at its latest conclusions by tracking the registration of domain names used in the spear-phishing campaign to launch the malware, cross-referenced with HTML scraping of legitimate websites impersonated in the attacks.
“Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group,” said Blackberry.
Full technical details of the cyber campaign can be accessed on the Blackberry blog.
More from Cybernews:
Subscribe to our newsletter