Threat Research

RomCom Threat Actor Suspected of Targeting Ukraine’s NATO Membership Talks at the NATO Summit

Securonix

Keypoints

  • RomCom threat actor is suspected of behind-the-scenes operation targeting NATO summit attendees and Ukraine supporters.
  • Two malicious documents were submitted from a Hungary IP and sent as lures to an organization supporting Ukraine abroad.
  • The attack uses spear-phishing with a fake Ukrainian World Congress website and typosquatted domains (.info) to impersonate legitimate sites.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The infection chain begins with malicious documents delivered as lures; β€œAttack Vector: Unconfirmed (highly likely email)” and the infection technique is RTF exploitation.
  • [T1203] Exploitation for Client Execution – CVE-2022-30190 (Follina) is used to achieve remote code execution via a crafted document; β€œ
    This execution chain utilizes CVE-2022-30190, which is a zero-day vulnerability … remote code execution (RCE)-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability.”
  • [T1036] Masquerading – Typosquatting techniques used to masquerade the fake Ukrainian World Congress site as ukrainenworldcongress[.]info, imitating the legitimate domain ukrainianworldcongress[.]org.
  • [T1071.001] Web Protocols – The main payload communicates with remote infrastructure, β€œconnects to the remote server to register the new victim,” using HTTP/HTTPS channels.
  • [T1543.003] Create or Modify System Process: Windows Service – β€œWhen the payload is successfully downloaded, the RomCom downloader starts the Windows service.”
  • [T1060] Registry Run Keys/Startup Folder – The RomCom downloader writes security.dll to autorun to be permanently present in the system.
  • [T1027] Obfuscated/Compressed Files and Information – The downloader uses string encryption/decryption, with a dedicated decryption key per string; β€œAll RomCom RAT samples we analyzed contained string encryption.”

Indicators of Compromise

  • [Domain] – ukrainianworldcongress.org, ukrainianworldcongress.info – legitimate vs fake domain pair used in lure/typosquatting
  • [IP] – 104.234.239.26, 74.50.94.156, 65.21.27.250, 138.124.183.8, 45.9.148.118, 45.9.148.219, 209.159.147.170, 66.23.226.102, 209.127.116.190 – observed network activity and C2 infrastructure
  • [SHA256] – a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f; 3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97 – main Word document payloads
  • [MD5] – f4959e947cee62a3fa34d9c191dd9351 – alternate hash for a payload
  • [File Name] – Overview_of_UWCs_UkraineInNATO_campaign.docx, Letter_NATO_Summit_Vilnius_2023_ENG(1).docx, File001.url – observed artifacts
  • [FileName] – afchunk.rtf – embedded RTF payload with IOCs; [File001.url] – second-stage file
  • [URL] – http://finformservice.com:80/api/v1.5/ subscriptiontoken=…; http://65.21.27.250:8080/mds/… – C2 endpoints

Read more: https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint