NATO Summit Attendees Targeted by Infamous Cybercrime Group RomCom

RomCom, the cybercrime group known for its aggressive stance against organizations allied with Ukraine, has struck again. This time, the infamous posse is reportedly targeting attendees of the NATO Summit taking place in Lithuania. Security experts from BlackBerry Threat Research and Intelligence have discovered the malicious campaign, which focuses on supporters of Ukraine's potential membership in NATO.

The cybersecurity analysts identified two deceptive documents, believed to originate from a Hungarian IP address linked to RomCom. Cleverly disguised, the documents are designed to tempt potential victims into opening them, then install malware on their systems to give the perpetrators easy access.

One document posed as correspondence from the Ukrainian World Congress, while the other was a fake lobbying document supporting Ukraine. The cybersecurity experts highlighted that the deception evidently targets NATO Summit attendees in Vilnius who want Ukraine to join NATO - a critical agenda item at the summit.

"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine," according to the security advisory.

RomCom's campaign aims to spread malicious code that establishes a connection to the group's command-and-control (C2) infrastructure using the RTF file format vulnerability. Following payload delivery, the RomCom downloader component executes a backdoor and links to the group's C2, creating a victim's profile.

Once the target is deemed valuable, RomCom deploys a next-stage payload and starts harvesting personal data. It is believed that the group began preparations for this attack as early as June 22, according to BlackBerry's security team.

Although the initial infection vector of this campaign has yet to be determined, the group's past activities suggest that it likely used spearphishing and a meticulously crafted replica of the Ukrainian World Congress website to lure targets. They used typosquatting to make the fake website look legitimate.

The campaign also incorporates an execution chain for exploiting a known vulnerability in the Microsoft Support Diagnostic Tool (MSDT) called Follina. If successful, the attackers can weaponize DOCX or RTF documents to conduct Remote Code Execution (RCE) attacks, even if macros are disabled or the document is opened in "Protected" mode.

RomCom's recent activities indicate a pattern of escalating aggression. The group was spotted last month targeting Ukrainian politicians and US healthcare services.

BlackBerry's security advisory provides a list of Indicators of Compromise (IoCs) to assist potential victims in determining whether their systems have been affected by this latest RomCom campaign. As cybersecurity efforts continue to thwart these activities, all participants at the NATO Summit are advised to remain vigilant against such threats.