• Thu. Aug 17th, 2023

RomCom Group: Success & Cyberattacks

Aug 11, 2023
RomCom Group: Success & Cyberattacks
Esme Greene

Ahead of the NATO summit in Vilnius (July 11-12), a Blackberry security research team has uncovered a hacker group targeting Ukraine’s supporters with malware. Their findings reveal the RomCom hacker group’s utilization of fake documents, mimicking a call for Ukraine’s NATO membership, a key topic of discussion at the summit.

Unmasking RomCom: Exploiting Vulnerabilities & Targeting Ukraine

Spear-phishing and typosquatting are two methods employed in the campaign. The hackers distribute a malicious document, posing as the World Congress of Ukrainians (WCU), urging recipients to visit a phishing site with a URL “ukrainianworldcongress.info” (source site “.org”).

When a victim accesses the site, malware is deployed, collecting the victim’s username and IP address for tracking purposes.

The attack chain exploits Microsoft’s 0day vulnerability, CVE-2022-30190 (Follina), discovered in May, enabling remote code execution (RCE) through a malicious “.docx” or “.rtf” document. Remarkably, this technique remains effective even when macros are disabled and the document is opened in Safe Browsing mode. Last year, this attack vector was widely exploited.

The cybersecurity team has been monitoring RomCom since last year when they detected the group’s attacks on Ukrainian military establishments. Code similarities in the two campaigns indicate the involvement of the same hacker group.

Ukraine has previously encountered cyberattacks exploiting the Follina vulnerability. In June 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) reported a phishing campaign by Sandworm hackers, sending malicious emails to Ukrainian media outlets to distribute malware.