CyberWire Daily - Politicians targeted by RomCom. [Research Saturday]
Episode Date: August 19, 2023Dmitry Bestuzhev from Blackberry joins to discuss their work on "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine." Research suggest...s that the RomCom threat team has been tracked carefully following the geopolitical events surrounding the war in Ukraine, and are now targeting politicians in Ukraine who are working closely with Western countries. This group is different from others in that their focus is more on secrets or information which can be useful in geopolitics and specifically the war in Ukraine, instead of financial gain. The research says "Although it is unclear at this point what initial infection vector was used to kick off the execution chain, previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software." The research can be found here: RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in our rapidly evolving cyberspace.
Thanks for joining us.
We were looking for campaigns around Ukraine in the context of geopolitical situation and specifically the war in Ukraine.
That's Dmitry Bestizhev. He's a senior director at BlackBerry.
The research we're discussing today is titled RomCom Resurfaces, targeting politicians in Ukraine and U.S.-based healthcare, providing aid to refugees from Ukraine.
So when you look into the threat landscape in Ukraine, you usually have all those threat actors which are known and typical like APT-29, Gamma Redon, and some others. We have seen so many wipers which destroy the hard drive,
but eventually we found something which caught our attention. We knew that was something new,
not connected to any previous threat actor. And we realized it was
rom-com rat. The interesting part of this, by mistake, another vendor, security vendor,
had attributed this threat actor or this tool, this weapon, to a cyber criminal group. It means like with a group with financial motivations.
However, we found and we proved that RomCom is not connected to any financially motivated
operational group threat actor behind it.
In fact, it's a weapon used against the Ukraine, and the threat actor behind it carefully follows the news
and the geopolitical developments.
So we found that TRONCOM has been targeting specifically black victims
in the United States and also in Ukraine and Western countries targeting
healthcare, targeting military systems, NATO summit, and others.
Well, as you mentioned, RomCom is a remote access Trojan, a rat.
What is their game plan here?
How do they generally get on someone's system?
What is their game plan here? How do they generally get on someone's system?
Usually, everything begins with the initial infection vector, which is spear phishing.
There is nothing new in here at first sight.
However, we know that the threat actor behind it uses very specific themes like topics and information,
which sometimes not even in the news yet or just went to the news. Like, for instance, the deployment of new tanks in Ukraine
or trainings, pilots trainings in Ukraine,
or even like below Russiaussia when also interacting with uh like uh with
russia close to the border of ukraine and poland specifically so that's that's like the interesting
part of there and that information that information many times available only in a conventional world. That means it's not anything like cyber.
It's carefully used for the social engineering
crafting and then deployed through
spear phishing messages.
So are we guessing here that perhaps the folks who run this have
access to high-level intel,
so they have a jump on the news cycle?
That's correct. So we suspect as well, one of the
sources RomCom use in
their campaigns is news, like geopolitical news.
But at the same time, it's information received somehow from other sources.
It's probably like also human intelligence and just information which can be used still from open sources.
But it's not necessarily in the news.
Well, let's walk through this together.
I mean, suppose that I am someone that RomCom wants to come after here
and I'm minding my own business, checking my email.
How does it begin? Email. Yeah, the victim receives
an email, which usually includes an attachment or
a link, which leads to the first stage
malware.
So that malware is in charge of deploying next stage,
and that next stage, finally, the payload.
So sometimes when we look into that social engineering, like emails, it can be anything.
It can be just like in the military order order it can be like a health care plan
plan to support refugees from ukraine it can be even software like software which is used by the
victim like updates and things like that so the victim what receives in the end it's a melted
application i call it melted that means like trojanized it's a melted application. I call it melted. It means electrogenized. It's a legitimate application along with a malicious
library, one malicious library inside. The
fascinating thing is in the very last campaign we saw
on June 22nd when the threat actor behind
RomCom targeted NATO Summit, it used at least two
exploits. So the technical capabilities were
expanded by romcom you know they use they used technically speaking one zero day and also one
end day exploit and they relied on new techniques like using rtf files and finally the the backdoors, stealing information from the victims' machines and profiling the victims.
So it's all about stealing secrets.
And what specific type of information are they targeting here?
Military information, diplomatic information.
In case of the attack against the the health care here in the united states
it's probably information about those who are refugees like who receive help uh who they are
names plus uh full names a date of births uh any other information like the address in the united
states uh everything what a medical record has, it has a lot of value.
It's just not because of any cybercrime.
It's information based on individuals who came from Ukraine and who receives help here.
And your research points out that they're making use of some typosquatting here as well?
Yes, indeed.
That's because you see like everybody,
or at least like most,
we learned that before you make click
or when you make click, check the address,
if the domain is correct and such.
But when you register a domain,
which is very close to the original one where the
difference is just one character one letter and that letter is actually very similar like
graphically visually speaking to the to another letter so it's hard for the victim sometimes to
spot the difference and especially it's also's also a technique which can be used also
to, let's say, to fool SOC,
Security Operational Center, when, let's say, those operators
are sitting there and looking and seeing domains very similar
to the original or legitimate
domains,
there is room for a mistake by a SOC operator to say, well, it's a clean domain.
It's a legitimate domain.
There's nothing in there.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink
your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, Eliminating lateral movement.
Connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So what did you all see in terms of any communications with the command and control server?
The communication, it's always encrypted.
It's interesting because it's definitely,
if an incident response team will start a job
and also will start sniffing the traffic and such.
The information,
when it's encrypted, it's not accessible.
At least easily accessible
for the
threat actor,
for the operator at SOG
or incident response team.
And they usually
also use a specific port.
Very interesting.
That port for us has been always like a silver bullet
also to go behind them and to find new domains.
They were just like a jump host.
The whole thing, the whole communication,
it's through usually at least one or more jump hosts,
usually at least one or more jump hosts,
which protects or anonymizes the threat actor behind it.
So when you see those connections from your side,
you will probably see only a connection to a legitimate cloud,
which is a server, which is legitimate, but it's in control of the threat actor.
Now, if I find myself infected with this,
is it going to reach out to other devices on my network,
or does it stay contained on one endpoint?
The threat actor, once infected the computer,
and of course, once it has the control to the computer,
it has full capabilities not just to steal the information,
but also to, let's say, profile the network.
What other computers are connected in there?
How to move laterally?
So it's all up to the threat actor.
What's next?
There is no any, let's say, USB self-propagation module,
but still, if it would be such need,
we know that the threat actor behind it could implement it.
Interesting. And who is it that they appear to be targeting here?
Primarily organizations who are sympathetic to Ukraine's interests?
Yes, Western countries, those countries which support Ukraine in this war against Russia.
It's interesting that some of the applications of software abused by RomCom and used in targeting, let's say, military units are known to be used actually
by NATO countries.
So NATO used those applications.
So we see that RomCom is definitely, let's say, mad about anyone who provides help Ukraine
mad about anyone who provides help to Ukraine and carefully and systematically
targets those allies.
Now, additionally, you found something interesting in
I guess a Trojanized version of the popular GoToMeeting software.
That's correct. GoToMeeting,
AnyDesk, like applications we we use uh we use on daily
basis so imagine if you find those libraries and those modules in the system like an infected
system i mean like even like any desk and it's uh of course you understand it's like oh it's a
clean application and of course it needs internet and it connects to somewhere to the internet.
You go in, you check the address, IP address, and you see it's a clean server
and it's somewhere like, you know, in the US.
So the first thing you will like probably conclude, it's like, oh, it's clean.
I don't know who's using AnyDesk in my network,
but probably they just use it for a reason.
Or even if the victim, the whole organization, target organization,
really uses AnyDesk, it will be just like a green light
to completely lose that signal.
And for the threat actors to continue working from the network.
And these trojanized apps,
do they maintain their original functionality?
In other words, they have this bad functionality under the hood,
but if I were to boot one of these programs up,
would it still function the way it was originally intended?
Yes, yes, that's the thing.
So it's not like when you get a fake application,
completely fake, you run it and nothing happens
or just like a weird error.
No, here it's the opposite.
So it's a full version of a legitimate application
melted with one malicious library,
which is in there, in the archive.
So once the installation process runs, it installs both.
The legitimate program and the implant.
So for the victim, there is no reason to believe that it's anything malicious.
And even the website, it's crafted in a way, I mean, the malicious website, where it's
downloaded from, it's an exact copy of the legitimate website of the vendor.
And even if you click, let's say, on chat with the specialist or support, it will take
you to the real chat. So you will be speaking with a real tech support team.
So that's how it's functional. It really works.
So what are your recommendations for folks to best protect themselves against this?
What do you suggest?
themselves against this?
What do you suggest?
In this case, I mean, if someone is already infected,
it's crucial
to have a full visibility over
network traffic.
And to start
just probably
playing with different strategies.
For example,
to allow only
that traffic which is allowed and known as clean, everything new, unconfirmed, must be analyzed manually.
basically like grabbing the memory image,
analyzing all the events in the system,
you can find those implants in your network at the endpoint.
Another thing is we just released a blog post, it was last week, with rules, detection rules,
YARA rules, and SIGMA rules.
rules, detection rules, YARA rules, and SIGMA rules.
SIGMA for behavioral analysis and YARA for files detection.
You can use as well to run it in your file system or to run it in your computer
and just looking for the behaviors,
you may also detect those things.
We also have IOCs publicly available for anyone like domains, IP addresses,
which is the first thing to grab and check with the proxy logs
and to see if there was any match in the past or today.
How do you rate RomCom in terms of their sophistication here?
I mean, it seems as though they're well-resourced.
Yes, it is definitely someone who works for a state.
It's a nation-state or an affiliated group to a nation-state.
And because of the context, it's someone who works for Russia or in Russia
or for the interests of Russia.
So imagine using a zero day in one of the campaigns which happened just about 40 days ago, it means the group itself, it's sophisticated
because it's not only about having access to those exploits,
it's about using them in the wild,
even assuming the risk that probably,
or highly likely, the operation will be discovered,
like all the artifacts will be recovered, analyzed.
So that's someone who's ready even to burn the exploit.
So it means the interests,
the motivation behind it is high.
And the fact that now they're using zero days,
it's also, it proves, it shows that
it's someone who's, it's a nation state.
Our thanks to Dmitry Bestyuzhev from BlackBerry for joining us.
The research is titled RomCom Resurfaces,
targeting politicians in Ukraine and U.S.-based healthcare providing aid to refugees from Ukraine.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
The CyberWire Research Saturday podcast
is a production of N2K Networks,
proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilpie.
And I'm Dave Bittner.
Thanks for listening.