RomCom RAT Targeting NATO and Ukraine Support Groups: The RomCom RAT (Remote Access Trojan) has emerged as a significant cyber threat, suspected of conducting phishing attacks targeting NATO’s upcoming summit in Vilnius and an organization supporting Ukraine.
BlackBerry’s Threat Research and Intelligence team has identified the malicious activities associated with this threat actor, shedding light on their sophisticated attack techniques and geopolitical motivations.
Key takeaways to RomCom RAT Targeting NATO and Ukraine:
Table of Contents
- RomCom RAT targeting NATO and Ukraine support groups: The RomCom RAT has been implicated in phishing attacks aimed at the upcoming NATO Summit and an organization providing support to Ukraine abroad.
- Geopolitically motivated spear-phishing campaigns: The threat actor behind RomCom RAT employs spear-phishing emails, luring victims to cloned websites hosting trojanized versions of popular software. Their targets include military entities, food supply chains, and IT companies.
- Deployment of RomCom RAT: The malicious documents associated with RomCom RAT execute a sequence of actions, exploiting a security flaw to achieve remote code execution. The RAT is designed to gather information and gain remote control over compromised systems.
Identification of RomCom RAT activities
BlackBerry’s Threat Research and Intelligence team has uncovered suspicious activities related to the RomCom RAT, involving phishing attacks targeting the upcoming NATO Summit and an organization supporting Ukraine.
These findings highlight the growing threat posed by this cyber actor.
Geopolitical motives and spear-phishing campaigns
The RomCom RAT employs sophisticated spear-phishing techniques to carry out its attacks. By sending deceptive emails, the threat actor lures victims to cloned websites hosting trojanized versions of commonly used software.
The targets of these campaigns span military entities, food supply chains, and IT companies, indicating a geopolitical motivation.
Malicious documents and deployment process
Recent investigations by BlackBerry have identified specific lure documents associated with RomCom RAT.
These documents impersonate legitimate organizations, such as the Ukrainian World Congress, and contain a fabricated letter expressing support for Ukraine’s inclusion in NATO.
Opening these files initiates a complex execution sequence, exploiting a patched security flaw in Microsoft’s Support Diagnostic Tool (MSDT) to achieve remote code execution.
RomCom RAT functionality and control
Upon successful exploitation, RomCom RAT is deployed as an executable written in C++. Its primary objective is to gather information about the compromised system and establish remote control over it.
This gives the threat actor unauthorized access and control, potentially leading to further malicious activities.
Targeted victims and rebranding suspicions
BlackBerry’s analysis suggests that the intended victims of this campaign are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.
Based on available information, there is medium to high confidence that this operation is either a rebranded RomCom operation or involves members of the RomCom threat group aligning with a new campaign.
Conclusion
The RomCom RAT has emerged as a significant cyber threat, targeting NATO’s upcoming summit and an organization providing support to Ukraine.
The threat actor employs sophisticated spear-phishing techniques and leverages trojanized software to compromise their targets. The deployment of the RAT allows unauthorized access and control over compromised systems, posing a considerable risk to the targeted entities.
Heightened awareness and robust security measures are crucial in mitigating the risks posed by RomCom RAT and similar sophisticated cyber threats.
