Go to listing page

RomCom Attackers Launch Phishing Attacks Against NATO Countries

RomCom Attackers Launch Phishing Attacks Against NATO Countries
Ever since the announcement of the upcoming NATO Summit in Lithuania’s capital, Vilnius on July 11-12, threat actors have put the attendees and organizations on their target list. One such campaign by RomCom threat actors has come to notice. The campaign uses typosquatting techniques and spear-phishing emails to infect visitors with malware.

Modus operandi

According to BlackBerry researchers, RomCom attackers ran their first drill on June 22 and used a replica of the Ukrainian World Congress website hosted on a .info domain. 
  • The documents downloaded from the fake website included malicious components to initiate an outbound connection and launch additional malware from the attackers’ C2 server.
  • In some cases, the malicious documents included a lure based on the upcoming NATO summit to extend support to Ukraine.
  • The additional component utilized the Follina vulnerability (CVE-2022-30190) in Microsoft’s Support Diagnostic Tool (MSDT) to conduct a remote code execution attack via a specially crafted RTF file format.
  • The final step of the attack resulted in the deployment of the RomCom backdoor on the infected machine.

Additional details

  • Blackberry believes that the current campaign is either a rebranded RomCom operation or one that includes core members from the old group that supports the new activity.
  • Moreover, the intended victims include representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.
 

NATO countries under constant attack

Not to mention, there has been an evident spike in cyberattacks against NATO countries ever since Russia’s invasion of Ukraine. 
  • A threat group that goes by the name of NoName took down several websites associated with transport and tourism in the Lithuanian capital to disrupt the NATO summit in Vilnius. 
  • The Russia-linked APT29 (aka Cozy Bear) used ISO files for malware distribution in an attempt to diplomatic and foreign ministries from NATO and EU member states.
  • In a separate incident, the CISA issued an advisory to warn against Winter Vivern exploiting a cross-site scripting flaw in Zimbra to launch attacks against governments in NATO countries.

Ending note

As more threat groups continue to emerge amidst the war going on in Ukraine, organizations need to keep a watch. They must deploy robust defense systems while tracking IOCs associated with the latest campaign. A suitable threat intel platform can act as a big time saviour.
Cyware Publisher

Publisher

Cyware