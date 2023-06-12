Entertainment
RomCom Threat Actor Targets Ukrainian Politicians and US Healthcare
The threat actor known as RomCom has returned to the scene, targeting Ukrainian politicians and a US healthcare organization involved in helping refugees fleeing the war-torn country.
The deployment of this attack is via a Trojan version of Devolutions Remote Desktop Manager, which victims were likely encouraged to download after being directed to a cloned website through phishing tactics.
The threat group used a form of typosquatting to create a striking resemblance to the authentic site, according to the BlackBerry Threat Research report and the intelligence team.
By creating fake websites that closely resemble legitimate software sites, RomCom can distribute malicious payloads to unsuspecting victims who download and install the compromised software, believing it to be legitimate.
The Trojan-containing installer starts installing malware after the user is prompted to select the destination path where he wants the files to be installed. It then begins to systematically collect essential host and user metadata from the infected system, which is then transmitted to its command and control (C2) server.
A cyberattack with geopolitical motivations
The campaign strongly suggests that this threat actor’s motivation is not money, but rather a geopolitical agenda that guides its attack strategy and targeting methods.
Recognizing software targets used to deliver fake update notifications was part of the process, according to Dmitry Bestuzhev, senior manager, CTI, BlackBerry. “In other words, the threat actor behind RomCom RAT relies on prior information about each victim, such as what software they use, how they use it, and social or political programs on which she works.”
The endgame is the exfiltration of sensitive information. “We have seen RomCom target military secrets, such as unit locations, defensive and offensive plans, weapons, [and] military training programs,” notes Bestuzhev.
He says that with U.S.-based health care providing assistance to refugees from Ukraine, targeted information included how this program works to determine who refugees are, including refugees’ personal information, which may be used for new attacks.
A RomCom you’ve never seen
Previous RomCom campaigns against the Ukrainian military used fake Advanced IP Scanner software to spread malware, and the group has also targeted English-speaking countries, particularly the UK, with trojanized versions of popular software products, including SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager. and PDF Reader Pro.
Callie Guenther, head of cyber threat research at Critical Start, explains that in more recent campaigns, in addition to using different software, RomCom has also adapted its C2 infrastructure to blend in with legitimate network traffic.
“This could involve the use of communication protocols commonly associated with political campaigns or healthcare organizations, making it harder to detect their malicious activities,” she says.
She adds that social media has played an important role in recent campaigns. “RomCom may use phishing emails, spear-phishing, or other social engineering techniques appropriate to targeted individuals or organizations,” she explains.
For politicians, they could write emails pretending to be colleagues or politicians, and in the case of the healthcare company, they could send emails pretending to be regulators. healthcare or medical equipment or software providers.
Guenther says RomCom’s active development of new capabilities and techniques indicates a remarkable level of sophistication and adaptability.
“This suggests that their target selection may evolve as they refine their tactics and look for new opportunities to compromise,” she says.
How to defend against the RomCom APT
Mike Parkin, senior technical engineer at Vulcan Cyber, says standard defense tactics apply here as they do with any attacker, whether cybercriminal or state-sponsored.
“Keep patches up to date. Deploy them following industry best practices and vendor ‘secure install’ recommendations,” he says. “Make sure users are educated and cultivate a secure culture that makes them part of the solution rather than the most vulnerable part of the attack surface.”
Bestuzhev says the threat actor behind RomCom relies on social engineering and trust. So, training employees on how to spot spear phishing is also important.
“Second, it is important to have a good cyber threat intelligence program that provides contextual, anticipatory and actionable threat intelligence, such as rules of behavior to detect RomCom operations in systems, network traffic and files,” he says. “With this context on RomCom, there is room to build effective threat modeling based on tactics, techniques and procedures (TTPs) and geopolitical developments.”
