Ukraine Supporters Targeted by Malware Ahead of NATO Summit

image provided by pixabay

This post is also available in: עברית (Hebrew)

A threat actor has been targeting Ukraine supporters with malware ahead of the NATO summit in Vilnius on July 11-12th, this according to Blackberry’s research team.

The suspected threat group, dubbed RomCom by the Blackberry Research and Intelligence Team, is believed to be using fake documents that pretend to support Ukraine’s accession to NATO, which is expected to be a key topic of discussion at the assembly.

“One of the topics on the agenda is Ukraine and its possible future membership in the organization,” said the Blackberry team. “Taking advantage of this event and the request of Ukraine to join NATO, threat actors have created and distributed a malicious document impersonating the Ukrainian World Congress organization to presumably distribute to supporters of Ukraine.”

The forged documents are intended to persuade targets to click on a link to another fake, this time a website domain that mimics by appending “.info” at the end instead of “.org”.

According to Cybernews, this is a common tactic used in spear-phishing campaigns known as “typosquatting,” making minor amendments to trusted and legitimate URLs so the target is less likely to be suspicious. When the victim clicks the link, their device is subjected to a cyberattack that deploys malware, a malicious program that allows the attackers to obtain an infected computer’s details such as username and internet protocol (IP) address, essentially identifying it and pinpointing its location.

This “RomCom” group has been on the cybersecurity team’s radar for some time now, who pointed out coding similarities between the NATO-themed campaign and previous ones, which leads it to conclude that the same threat group is responsible.

Blackberry believes that in this specific round of attacks the group didn’t only target Ukrainian politicians, but also foreign entities and individuals who support Ukraine in the war against Russia.

“Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group,” said Blackberry.

Information provided by Cybernews.