Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Government
Attackers Using RomCom, PicassoLoader and njRAT Malware to Steal Credentials
The threat actor behind the remote access Trojan called RomCom RAT and other pro-Russian groups are targeting Ukrainian agencies and allies ahead of the NATO Summit this week in Vilnius, Lithuania, using weaponized Microsoft documents and typosquatting techniques to deliver the malware.
See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security
NATO countries are set to consider Ukraine’s possible future membership in the organization on Tuesday and Wednesday in Lithuania, which borders Russia and has been an outspoken ally of Ukraine since the Russian invasion in February 2022. Threat actors have exploited the event by targeting supporters of Ukraine with fake websites and documents impersonating the Ukrainian World Congress, according to the Computer Emergency Response Team of Ukraine.
Adversaries replicated the Ukraine World Congress website by appending the .info
extension to create a fraudulent domain, ukrainianworldcongress.info
. The typosquatted website bears a striking resemblance of the legitimate domain ukrainianworldcongress.org
. The website delivers the malicious documents Overview_of_UWCs_UkraineInNATO_campaign.docx
and Letter_NATO_Summit_Vilnius_2023_ENG(1).docx
, which contain an embedded RTF file named afchunk.rtf
, to infect victims’ devices. Both documents declare support for Ukraine’s inclusion in NATO.
The findings were corroborated by the BlackBerry Threat Research and Intelligence team, which found the two malicious documents on July 4, submitted from a Hungarian IP address.
CERT-UA tracked the activity to UAC-0168. Blackberry analyzed the tactics, techniques and procedures of the threat actor and attributed the campaign to RomCom based on the code and network infrastructure used in the operation.
CERT-UA detailed the post-exploitation chronology and said the victim’s machine had first interacted with the attacker’s infrastructure using SMB and HTTP. It then downloaded and deployed a host of other payloads including a Magicspell malware, which loaded, decrypted and launched another executable file that eventually loaded the RomCom RAT.
The RomCom downloader collects information about the target system including the size of the device’s RAM, username and information about the machine’s network adapter. It also helps in maintaining persistence and in deploying additional payloads.
The attackers also exploited Follina, or CVE-2022-30190, a now-patched vulnerability affecting Microsoft’s Support Diagnostic Tool, which is used to achieve remote code execution privileges.
CERT-UA said 195 IP addresses had been tracked interacting with the threat actor’s infrastructure. The analysis of these IP addresses showed their geographical distribution across 30 countries, but most were linked to VPN services.
BlackBerry said the campaign appears to target politicians, and it identified several victims of RomCom primarily based in Ukraine. The firm also observed evidence of at least one U.S. victim targeted by the hacker.
“The victims targeted are involved in several dissimilar industries such as military and healthcare, united by the common thread of Russia’s invasion of Ukraine,” Blackberry said. “Based on the available information, we have medium to high confidence to conclude that this is a RomCom-rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group.”
The njRAT Campaign
On Friday, CERT-UA warned of a similar campaign targeting unnamed Ukrainian government agencies. The threat actor in this campaign used spear-phishing to distribute an XLS document named PerekazF173_04072023.xls
and Rahunok_05072023.xls
, which loaded PicassoLoader malware. This malware also loaded a secondary payload, njRAT malware, which is used to exfiltrate data from the victim’s system.
CERT-UA experts said that if the victim’s machine was protected with Avast, FireEye or Fortinet products, the malicious program aborted execution to avoid detection.
CERT-UA attributes the program to UAC-0057 or Ghostwriter, a threat group known to fabricate narratives aligned with Russian security interests. According to the security firm FireEye, the group leverages compromised social media accounts to target NATO member countries in Europe (see: ‘Ghostwriter’ Disinformation Campaign Targets NATO Allies).
APT28 Targets Authentication Data
Using phishing as a bait and replicating known websites to siphon off victims’ authentication data is a well-known tactic of Russian state-sponsored actors, who primarily focus on cyberespionage. CERT-UA revealed on Saturday yet another phishing campaign with a similar motive.
Threat actors used the browser-in-the-browser technique to target users of popular mail service providers ukr.net
, said Parthi, an intelligence analyst at Atlassian, who along with Will Thomas, co-founder of Curated Intelligence, was attributed with the discovery.