Ukraine, NATO and cyberattacks: RomCom’s formula for success

Blackberry Security Research Team claims that it discovered a hacker group that is attacking Ukrainian supporters with malware ahead of the NATO summit in Vilnius (July 11-12).

According to the Blackberry Research and Intelligence Team, the RomCom hacking group is using forged documents that mimic a call for Ukraine to join NATO, one of the key topics of discussion at the summit.

The campaign includes 2 attack methods – spear-phishing (spear phishing) And typosquatting, making subtle typos in legitimate URLs. Hackers have created a malicious document that is being distributed on behalf of the Ukrainian World Congress (WUC) among supporters of Ukraine. The document encourages the recipient to follow a link to a phishing site “ukrainianworldcongress.info” (original site “.org”).

Legitimate (left) and phishing (right) website of the Congress

When the victim goes to the site, malware is deployed on their device that collects the username and IP address to get the location of the victim.

Attack chain uses 0day vulnerability Microsoft CVE-2022-30190(Follina), which was discovered in May last year. If used successfully, the bug allows an attacker to remotely execute code (Remote Code Execution, RCE) by creating a malicious “.docx” or “.rtf” document. This technique is effective even when macros are disabled and the document is opened in Safe View. According to Blackberry, this attack vector was one of the most actively exploited in the past year.

The cybersecurity team has been following RomCom since last year when it discovered group attacks on Ukrainian military establishments . The similarity of the code in the two campaigns suggests that the same hacker group is behind them.

Ukraine has already been subjected to cyber attacks using the Follina vulnerability. Thus, in June 2022, the Ukraine Computer Incident Response Team (CERT-UA) reported a phishing campaign in which Sandworm hackers sent malicious emails to Ukrainian media to deploy malware.