Share this article on:
Security researchers have spotted an uptick in malicious cyber activity centred on Ukraine’s talks with NATO regarding the country joining the Western alliance.
The BlackBerry threat research and intelligence team noted the operator of the RomCom remote access Trojan, with new domains and other infrastructure being established to support a new campaign targeting the NATO Summit in Lithuania.
“Taking advantage of this event and the request of Ukraine to join NATO,” BlackBerry’s researchers said in a blog post, “threat actors have created and distributed a malicious document impersonating the Ukrainian World Congress organisation to presumably distribute to supporters of Ukraine”.
Typosquatting was at the heart of the campaign, with the threat actors creating a fraudulent website claiming to be the Ukrainian World Congress but with a .info domain rather than .org. The researchers surmise that a spear-phishing campaign was likely used to get victims to access the site and download the infected documents.
One document – called “Talking points for UWC’s #UkraineInNATO campaign” – hides an RTF-based exploitation that opens an outbound connection on any machine where the document is opened. A second document is a letter urging targeted officials to consider Ukraine’s membership in NATO.
The two documents appear to have been sent from an IP address in Hungary.
After various interactions with the threat actor’s command and control infrastructure and taking advantage of a remote code execution vulnerability, the final RomCom backdoor is installed. The Trojan can collect information such as network adaptor details, usernames, and the machine’s RAM. It can also load further payloads and maintain persistence on a machine that it infects.
“Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor,” BlackBerry concluded, “the intended victims are representatives of Ukraine, foreign organisations, and individuals supporting Ukraine”.
“Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.