Security
Headlines
HeadlinesLatestCVEs

Headline

RomCom RAT Targets Pro-Ukraine Guests at Upcoming NATO Summit

By Deeba Ahmed The RomCom RAT is also tracked as Tropical Scorpius, Void Rabisu, and UNC2596. This is a post from HackRead.com Read the original post: RomCom RAT Targets Pro-Ukraine Guests at Upcoming NATO Summit

HackRead
#vulnerability#web#mac#microsoft#intel#rce#auth

The upcoming NATO summit is scheduled to be held in Vilnius, Lithuania from July 11th to 12th 2023.

The BlackBerry Threat Research and Intelligence team has discovered a new campaign in which the threat actor targets Ukraine and NATO supporters with the RomCom RAT (remote access trojan).

According to their analysis of the threat actor’s TTPs (tactics, techniques, and procedures), network infrastructure, and code similarity, the threat actor RomCom is behind the campaign. Therefore, the malware is named RomCom RAT.

For your information, the RomCom RAT is also tracked as Tropical Scorpius, Void Rabisu, and UNC2596. It is written in C and was recently spotted in cyberattacks launched against Ukrainian politicians working closely with Western nations and a healthcare organization in the USA that aids refugees who have fled Ukraine.

This campaign was launched just before the upcoming NATO summit, which is scheduled to be held in Vilnius, Lithuania on July 11-12 2023. Researchers noted that threat actors targeted the summit and an international organization supporting Ukraine with phishing attacks.

According to blog post published by BlackBerry, its cybersecurity team detected two malicious documents submitted on July 4, 2023, via a Hungary-based IP address titled:

  • Letter_NATO_Summit_Vilnius_2023_ENG(1).docx
  • Overview_of_UWCs_UkraineInNATO_campaign.docx

These documents are sent to the organization and pro-Ukraine guests invited to the NATO summit as a lure. This indicates that the threat actor is using fake documents pretending to attempt to lobby for Ukraine’s NATO accession and the probability of Ukraine becoming a member of the organization in the future.

BlackBerry researchers suspect that threat actors are trying to benefit from this event by creating and distributing a malicious document impersonating the Ukrainian World Congress website to target supporters of Ukraine.

These documents lure the recipient into clicking on a link, which redirects them to another fake website domain. The attackers use typosquatting to mimic ukrainianworldcongress(.) org, but with one change: instead of .org, they use .info at the end. This change is made to make the spear-phishing campaign successful.

Image: BlackBerry

If the victim clicks on the link, their device becomes infected by RomCom RAT, and the attackers can obtain sensitive system data such as IP address, username, and even location.

The malicious document essentially triggers a well-designed execution sequence. This sequence starts with contacting a remote server to retrieve intermediate payloads. After that, the attackers exploit the now-patched security flaw Follina (tracked as CVE-2022-30190), which impacts the Microsoft Support Diagnostic Tool. This exploitation allows them to acquire remote code execution.

“If successfully exploited, it allows an attacker to conduct a remote code execution-based attack via the crafting of a malicious .docx or .rtf document designed to exploit the vulnerability. That technique is effective even when macros are disabled, and a document is opened in Protected mode.”

The BlackBerry Research & Intelligence Team

Further probing of the internal telemetry, cyber weapons, and network data analysis led to the assumption that the campaign became active on 22 June. The attacker’s C2 server was registered and went live just a few days before.

Researchers haven’t yet determined the initial infection vector. However, they are sure that this is a geopolitically motivated campaign, and its prime targets include militaries, IT firms, and food supply chains.

RELATED ARTICLES

  1. KillNet Creates Gay Dating Profiles with NATO Logins
  2. NATO Data Stolen in Cyberattack on Portugal’s Armed Forces
  3. NATO Probes Hackers Selling Data from Top Missile Firm MBDA
  4. Authentication bypass flaw found in NATO, EU approved firewall
  5. Data center in former NATO bunker seized for hosting child porn

Related news

A DIY Guide To Become An Alone Long Time Bughunter For Ordinary People

Whitepaper called Bughunter's Life-Style: A DIY guide to become an alone long time bughunter for ordinary people. Written in Spanish.

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

Microsoft Patch Tuesday August 2022: DogWalk, Exchange EOPs, 13 potentially dangerous, 2 funny, 3 mysterious vulnerabilities

Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August […]

Microsoft Issues Patches for 121 Flaws, Including Zero-Day Under Active Attack

As many as 121 new security flaws were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild. Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues

Woody RAT: A new feature-rich malware spotted in the wild

Categories: Threat Intelligence Tags: APT Tags: rat Tags: russia The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. (Read more...) The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

Microsoft Patch Tuesday, June 2022 Edition

Microsoft on Tuesday released software updates to fix 60 security vulnerabilities in its Windows operating systems and other software, including a zero-day flaw in all supported Microsoft Office versions on all flavors of Windows that's seen active exploitation for at least two months now. On a lighter note, Microsoft is officially retiring its Internet Explorer (IE) web browser, which turns 27 years old this year.

State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages

CVE-2022-30190

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

By Waqas The Follina vulnerability was originally discovered after a malicious Microsoft Word document was uploaded on VirusTotal from a… This is a post from HackRead.com Read the original post: Unofficial Micropatch for Follina Released as Chinese Hackers Exploit the 0-day

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

HackRead: Latest News

Hackers Leak 300,000 MIT Technology Review Magazine User Records