The RomCom menace actor has reportedly launched a focused cyber marketing campaign geared toward organizations and people supporting Ukraine simply days earlier than a extremely anticipated NATO Summit.
The BlackBerry Risk, Analysis and Intelligence crew uncovered this refined operation and described it in an advisory printed earlier right now.
Particularly, the crew stated it found two misleading paperwork on July 4 used as lures by the RomCom group.
“Primarily based on our inside telemetry, community information evaluation and the complete set of cyber weapons we collected, we consider the menace actor behind this marketing campaign ran their first drills on June 22, and in addition just a few days earlier than the command-and-control (C2) talked about on this report was registered and went reside,” reads the advisory.
BlackBerry stated the malicious recordsdata have been designed to deceive and compromise organizations supporting Ukraine overseas, in addition to people anticipated to attend the upcoming NATO Summit.
In keeping with the know-how agency, the ways employed by RomCom underscore the group’s capability to use geopolitical contexts and leverage main worldwide occasions for his or her malicious actions.
Whereas the precise methodology of preliminary an infection stays undisclosed, the BlackBerry crew suspects spear-phishing as the first vector utilized by the RomCom group.
Learn extra about this menace actor: RomCom Weaponized KeePass and SolarWinds Cases to Goal Ukraine, Perhaps UK
By impersonating the Ukrainian World Congress group and making a fabricated lobbying doc supporting Ukraine, the menace actors aimed to deceive their targets and achieve unauthorized entry to delicate info.
The weaponization of the assault concerned the usage of embedded RTF recordsdata and OLE objects inside the malicious paperwork. Upon opening these recordsdata, the victims’ machines established connections with suspicious IP addresses related to VPN/proxy providers. Communication between the victims and the menace actors primarily occurred over HTTP and SMB providers.
The RomCom group has a infamous popularity for his or her superior cyber campaigns, and BlackBerry famous that the ways noticed on this current operation had similarities with their earlier assaults.
The corporate added that the timing of the assault, simply forward of the NATO Summit, emphasizes the group’s intent to use the discussions surrounding Ukraine’s potential NATO membership.
“One of many subjects on the agenda is Ukraine and its potential future membership within the group. President of Ukraine Zelenskyy confirmed his participation,” reported BlackBerry.
The BlackBerry advisory comes weeks after cybersecurity specialists from Symantec warned towards new assaults by the Shuckworm espionage group on Ukrainian targets.
