Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
Ahead of the NATO summit in Vilnius (July 11-12), a Blackberry security research team has uncovered a hacker group targeting Ukraine’s supporters with malware. Their findings reveal the RomCom hacker group’s utilization of fake documents, mimicking a call for Ukraine’s NATO membership, a key topic of discussion at the summit.
Unmasking RomCom: Exploiting Vulnerabilities & Targeting Ukraine
Spear-phishing and typosquatting are two methods employed in the campaign. The hackers distribute a malicious document, posing as the World Congress of Ukrainians (WCU), urging recipients to visit a phishing site with a URL “ukrainianworldcongress.info” (source site “.org”).
When a victim accesses the site, malware is deployed, collecting the victim’s username and IP address for tracking purposes.
The attack chain exploits Microsoft’s 0day vulnerability, CVE-2022-30190 (Follina), discovered in May, enabling remote code execution (RCE) through a malicious “.docx” or “.rtf” document. Remarkably, this technique remains effective even when macros are disabled and the document is opened in Safe Browsing mode. Last year, this attack vector was widely exploited.
The cybersecurity team has been monitoring RomCom since last year when they detected the group’s attacks on Ukrainian military establishments. Code similarities in the two campaigns indicate the involvement of the same hacker group.
Ukraine has previously encountered cyberattacks exploiting the Follina vulnerability. In June 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) reported a phishing campaign by Sandworm hackers, sending malicious emails to Ukrainian media outlets to distribute malware.