A RomCom Worth Watching: The Threat Actor’s Latest Targets
As the conflict between Ukrainian and Russian forces escalates in Eastern Europe, the world is becoming increasingly polarized by their support of one side or the other—whether on the ground in Ukraine via the provision of military supplies or on their own turf via healthcare provided to those fleeing the conflict.
Based on the observations of BlackBerry’s Threat Research and Intelligence team, the threat actor behind the RomCom remote access trojan (RAT) has been carefully following geopolitical events surrounding the war in Ukraine, targeting militaries, food supply chains, and IT companies.
Investigating the Threat Actor’s Activity
When we initially observed the RomCom threat group, it appeared to only be targeting government entities and was focused on attacking Ukrainian military infrastructure. As our team continued its investigation into this previously unknown actor, we discovered RomCom had launched campaigns targeting IT companies, food brokers, and manufacturers in Brazil, the Philippines, and the United States. It was—and still is—in the process of developing new cyber weapons to launch more attacks worldwide.
In 2022, RomCom ran a series of new attack campaigns taking advantage of the brand power of SolarWinds, KeePass, and PDF Technologies. Our team uncovered these campaigns while analyzing network artifacts unearthed during a report on the RomCom RAT, which was used in campaigns targeting Ukrainian military institutions through spoofed versions of the legitimate free network scanner called Advanced IP Scanner. In mid-March 2023, we noticed an uptick in telemetry related to our tracking of the operator behind the RomCom RAT.
We now understand it is not financially motivated but following a geopolitical agenda.
In RomCom’s latest campaign, we observed the threat actor targeting politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the United States.
While Ukraine appears to be RomCom’s primary target today, we found some English-speaking countries are now being targeted as well, including the United Kingdom, likely because of their support of Ukraine and Ukrainian refugees. This is based on our analysis of the terms of service (TOS) of two of the malicious websites and the Secure Socket Layer (SSL) certificates of a newly created command-and-control (C2) run by the threat actor. We have also confirmed this via our in-house telemetry.
Why RomCom is Different from the Rest
When RomCom was initially discovered, it was mistakenly categorized by the industry as a financially motivated threat group. Since initial tracking, however, we now understand it is not financially motivated but following a geopolitical agenda. It’s still unclear who is behind this group, and there is no clear link to existing nation-states.
We have reason to believe the RomCom threat actor is carefully monitoring industry research on itself, including research publicly released by BlackBerry.
For instance, just prior to BlackBerry’s presentation about RomCom at Black Hat USA in August 2023, the group switched out one of its key hosts. The group is taking swift defensive measures to prevent other researchers from digging into its activities. RomCom is also continuously improving its operations and increasing the complexity of its attacks.
Reliance on Social Engineering and Trust
We have seen that the threat actor behind the RomCom RAT employs spear-phishing, with content specifically crafted to target its intended victims. Most of these phishing emails entice the recipient to click on a link, which leads them to malicious URLs created in advance and disguised as legitimate websites. The websites at the malicious URLs mimic software companies that are popular and known to be used by the victims. In previous campaigns, we saw RomCom abusing brands providing software for system/network administration and document readers.
The threat actor relies on specially curated information about victims.
RomCom often uses the malicious technique of typosquatting, where the threat actor registers a domain which looks like a real domain but differs by the suffix. For example, in a recent campaign targeting potential attendees of the July NATO Summit in Vilnius, Lithuania, it registered the fake domain ukrainianworldcongress[.]info, mimicking the real domain of ukrainianworldcongress[.]org.
In its recent campaigns, the RomCom threat actor relied on more personal political content known by politicians in Ukraine. In other words, the threat actor relies on specially curated information about victims, such as what software they use, how they use it, and the social/political programs they’re working on. This implies that the threat actor carefully studies not only the intended target organization, but also key individuals who may have connections with it.
While each campaign is aimed at different targets, it’s safe to state that the RomCom threat group is not motivated by financial gain. For example, we observed RomCom targeting military secrets, such as unit locations, defensive and offensive plans, arms, and military training programs.
With the latest targets—U.S.-based healthcare organizations providing aid to the refugees from Ukraine—it seems the information RomCom wishes to gather is how that aid program works and who the refugees are, including their personal information, which can be used for further geopolitical goals.
The threat actor behind RomCom relies on social engineering and trust to target potential victims.
So, the first thing to learn is how to build an effective strategy to flag and mitigate spear phishing attempts. Secondly, it’s important to rely on a good cyber threat intelligence (CTI) program providing contextual, anticipative, and actionable threat intelligence, including behavioral rules, such as Yara rules, to detect RomCom’s potential presence in systems, network traffic, and files.
With this context in mind, there is plenty of room for building effective threat modeling based on the tactics, techniques, and procedures (TTPs) and geopolitical developments of threat actors such as RomCom.
Dmitry Bestuzhev, senior cyberthreat intelligence director, BlackBerry, is responsible for tracking large-scale cyber incidents, espionage, and cyber-crime motivated campaigns. Before joining BlackBerry, Bestuzhev oversaw the Global Research and Analysis Team in Latin America in anti-malware and threat intelligence research of financially motivated attacks. He has more than 20 years of experience in different fields of cybersecurity.