RomCom Threat Actor Attacks Ukrainian Politicians & US Healthcare Allies
Category: Threat Actor Activity | Industries: Critical Infrastructure, Defense, Government, Healthcare, Technology | Source: BlackBerry
A threat actor tracked as "RomCom," has reemerged with their focus on Ukrainian politicians and a US-based healthcare organization supporting refugees from the conflict-stricken nation. BlackBerry Threat Research and Intelligence team report on the threat actor's latest activities noticing they've been closely monitoring geopolitical events in Ukraine, striking critical infrastructure political and defense-related entities. RomCom's latest campaign took place in mid-March 2023 with BlackBerry researchers having "observed RomCom targeting politicians in Ukraine who are working closely with Western countries, and a U.S.-based healthcare company providing humanitarian aid to the refugees fleeing from Ukraine and receiving medical assistance in the U.S."
Based on the known attack vector, RomCom hosted infrastructure masquerading as a legitimate version of the Devolutions Remote Desktop Manager (RDM). The certificate issued in the executable file does not match with Devolutions RDM. Once downloaded and executed, the installation process attempts to mimic a legitimate installation, distracting the user while dropping malicious payloads into the "C:\Users\Public\Libraries" directory. "The core malicious binary related to RomCom is the file %netid4050320587.dll0%. This Dynamic-Link Library (.DLL) is executed via the Windows host process RunDLL32 in the background while the unsuspecting victim tries installing the fake software," as analyzed by BlackBerry. RomCom's motives do not appear to be oriented toward monetary gain. Instead, its current focus seems to be intelligence collection and expanding its knowledge of geopolitical events related to Ukraine and Western countries aiding Ukraine. The intelligence collected will likely be used to springboard into their next campaigns.
- Suspicious Payload Executes Rundll32
Anvilogic Use Cases:
- Executable Process from Suspicious Folder
- Network Connection with Suspicious Folder
- Rundll32 Command Line