RomCom Attackers Launch Phishing Attacks Against NATO Countries

Modus operandi

• The documents downloaded from the fake website included malicious components to initiate an outbound connection and launch additional malware from the attackers’ C2 server.
• In some cases, the malicious documents included a lure based on the upcoming NATO summit to extend support to Ukraine.
• The additional component utilized the Follina vulnerability (CVE-2022-30190) in Microsoft’s Support Diagnostic Tool (MSDT) to conduct a remote code execution attack via a specially crafted RTF file format.
• The final step of the attack resulted in the deployment of the RomCom backdoor on the infected machine.

Additional details

• Blackberry believes that the current campaign is either a rebranded RomCom operation or one that includes core members from the old group that supports the new activity.
• Moreover, the intended victims include representatives of Ukraine, foreign organizations, and individuals supporting Ukraine.

NATO countries under constant attack

• A threat group that goes by the name of NoName took down several websites associated with transport and tourism in the Lithuanian capital to disrupt the NATO summit in Vilnius. 
• The Russia-linked APT29 (aka Cozy Bear) used ISO files for malware distribution in an attempt to diplomatic and foreign ministries from NATO and EU member states.
• In a separate incident, the CISA issued an advisory to warn against Winter Vivern exploiting a cross-site scripting flaw in Zimbra to launch attacks against governments in NATO countries.

Ending note