Research Saturday 8.19.23
Ep 295 | 8.19.23

Politicians targeted by RomCom.


Dave Bittner: Hello, everyone, and welcome to the Cyberwire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities. Solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Dmitry Bestuzhev: We were looking for campaigns around Ukraine in the context of a geopolitical situation andx specifically the war in Ukraine.

Dave Bittner: That's Dmitry Bestuzhev. He's a senior director at Blackberry. The research we're discussing today is titled "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine."

Dmitry Bestuzhev: So when you're looking to the threat landscape in Ukraine, you usually have all those threat actors which are known and typical like APT29, Gamaredon, and some others. We have seen so many wipers which destroy the hard drive. But eventually, we found something which caught our attention. We knew that it was something new, not connected to any previous threat actor, and we realized it was RomCom RAT.

Dmitry Bestuzhev: The interesting part of this -- by mistake, another vendor -- security vendor had attributed this threat actor or this tool, this weapon, to a cybercriminal group. This means, like, with a group with financial motivations. However, we found and we proved that RomCom is not connected to any financially-motivated operation or group threat actor behind it. In fact, it's a weapon used against the Ukraine. And the threat actor behind it carefully follows the news and the geopolitical developments.

Dmitry Bestuzhev: So we found that RomCom has been targeting specifically, like, victims in the United States and also in Ukraine and Western countries. Targeting healthcare, targeting military systems, NATO Summit, and others.

Dave Bittner: As you mentioned, RomCom is a remote access trojan, a RAT. What is their game plan here? How do they generally get on someone's system?

Dmitry Bestuzhev: Usually, everything begins with the initial infection vector which is spearphishing. There is nothing new in here at first sight. However, we know that the threat actor behind it used, like, very specific themes like topics and information which sometimes is not even in the news yet or just went to the news. Like, for instance, the deployment of new tanks in Ukraine or training -- pilot training in Ukraine. Or even like Belarus when also interacting with, like, with Russia close to the border of Ukraine and Poland, specifically.

Dmitry Bestuzhev: So that's - that's, like, the interesting part of that. And that information - that information many times available only, like, even in a conventional war. That means it's not - it's not anything like cyber. It's carefully used for the social engineering, crafting, and then deployed through spearphishing messages.

Dave Bittner: Hmm. So are we guessing here that perhaps the folks who run this have, you know, access to high-level intel that - you know, so they have a jump on the news cycle?

Dmitry Bestuzhev: Mm-hmm. That's correct. Yeah, that's correct. So we suspect, as well, like, one of the let's say, like, sources RomCom uses in their campaigns is like news. Yeah, like geopolitical news.

Dmitry Bestuzhev: But at the same time, it's information received somehow from other sources that's probably like also human intelligence and just information which can be used still from open sources, but it's not necessarily in the news.

Dave Bittner: Well, let's walk through this together. I mean, suppose that I am someone that RomCom wants to come after here. And I'm, you know, minding my own business, checking my email. How does it begin?

Dmitry Bestuzhev: Email. Yeah, the victim receives an email which usually includes an attachment or a link which leads to the first stage malware. So that malware is in charge of deploying the next stage. And that next stage, finally, the payload.

Dmitry Bestuzhev: So sometimes when we look into that social engineering like emails, it can be anything. It can be just like in military order it can be like a healthcare plan. A plan to support refugees from Ukraine.

Dmitry Bestuzhev: It can be even software. Like, software which is used by the victim, like updates and things like that. So the victim would receive [inaudible] that means, like, "trojanized." It's a legitimate application along with the malicious library - one malicious library inside.

Dmitry Bestuzhev: The fascinating thing is in the very last campaign we saw on June 22nd when the threat actor behind RomCom targeted the NATO Summit, it used at least two exploits. So the technical capabilities were expanded by RomCom and they used, technically speaking, 10d and also 1nd exploit. And they relied on new techniques like using RGF files and finally the backdoors, stealing information from the victims' machines and profiling the victims. So it's all about stealing secrets.

Dave Bittner: And what specific type of information are they targeting here?

Dmitry Bestuzhev: Military information, diplomatic information. In the case of the attack against the healthcare here in the United States, it's probably information about those who are refugees. Like, who receives help. Who they are, names - full names, date of birth. Any other information like the address in the United States. Everything that a medical record has; it has a lot of value. It's just not because of any cybercrime, it's information based on, like, individuals who came from Ukraine and who receive help here.

Dave Bittner: And your research points out that they're making use of some typosquatting here as well?

Dmitry Bestuzhev: Yes, indeed. That's because, you see, like everybody - like [inaudible] we learn that before you make a click or when you make a click check the address. If the domain is correct and such. But when you register a domain which is very close to the original one, where the difference is just one character, one letter, and that letter is actually very similar, like, graphically or visually speaking to another letter. So it's hard for the victim sometimes to spot the difference.

Dmitry Bestuzhev: And especially it's also a technique which can be used also to - let's say, to fool SOC. That's a security operational center. When, let's say, those operators are sitting there and looking and seeing, like, domains very similar to the original or legitimate domains, there is room for a mistake by a SOC operator. To say, well, it's a clean domain, it's a legitimate domain. There's nothing in there.

Dave Bittner: So what did you all see in terms of any communications with the command-and-control server?

Dmitry Bestuzhev: The communication is always encrypted. It's interesting because it's - like, definitely, it's - if an incident response team will start its job and also will start [inaudible] the traffic and such. The information, when it's encrypted, is not accessible. It lists, like, easily accessible for the - the threat actor.

Dmitry Bestuzhev: For the operator, it's all [inaudible]. And they usually also use, like, a specific board. It's very interesting. That board for us has been always like, you know, a silver bullet also to go behind them and to find new domains that are just like jump hosts. The whole thing - like, the whole communication is through usually at least one or more jump hosts which protects the - or let's say anonymizes the threat actor behind it.

Dmitry Bestuzhev: So when you see those connections, like, from your side, you'll probably see only, like, a connection to a legitimate Cloud which is a server which is legitimate but it's under the control of the threat actor.

Dave Bittner: Now, if I find myself infected with this, is it going to reach out to other devices on my network, or does it stay contained on one endpoint?

Dmitry Bestuzhev: The threat actor, once infecting the computer, and of course, like, once it has the control to the computer, it has full capabilities not just to steal the information but also to, let's say, profile the network. What other computers are connected in there? What is the - like, how to move laterally.

Dmitry Bestuzhev: So it's all up to the threat actor, like, what's next. There's not any, let's say, like, a USB self-propagation module. But still, if it would be such a need, we know that the threat actor behind it could implement it.

Dave Bittner: Interesting. And who is it that they appear to be targeting here? I mean, is it primarily organizations who are sympathetic to Ukraine's interests?

Dmitry Bestuzhev: Yes, Western countries. Those countries which support Ukraine in this war against Russia. It's interesting that some of the applications or software abused by RomCom and used in targeting, let's say, military units are known to be used, actually, by NATO countries. So NATO used those applications. So we see that RomCom is definitely -- it's like mad about anyone who provides help to Ukraine and carefully and systematically targets those allies.

Dave Bittner: Now, additionally, you've found something interesting in, I guess, a trojanized version of the popular GoTo Meeting Software.

Dmitry Bestuzhev: Mm-hmm, that's correct. GoTo Meeting. Any desk, like, applications we use - we use on a daily basis. So imagine if you find those libraries and those modules in the system. Like, an infected system. I mean, like, even like any desk. And it's, of course, you understand, it's like, oh, it's a clean application.

Dmitry Bestuzhev: And, of course, it needs internet and it connects somewhere to the internet. You go in, you check the address. The IP address. And you see it's a clean server and it's somewhere, like, you know, in the U.S. So the first thing you'll, like, probably conclude is, like, oh, it's clean. I don't know who's using any desk, like, in my network but probably they just use it for a reason. Or even if the victim, like, the whole organization - targeted organization use - like really use any desk, it's just like a green light, you know, to completely lose that signal and for the threat actors to continue working from the network.

Dave Bittner: And these trojanized apps, do they - do they maintain their original functionality? In other words, you know, they have this bad functionality under the hood, but if I were to boot one of these programs up, would it still function the way it was originally intended?

Dmitry Bestuzhev: Yes. Yes, that's the thing. So it's not like when you get a fake application - completely fake. You run it and nothing happens, or just like a weird error. No, here it's the opposite.

Dmitry Bestuzhev: So it's a full version of a legitimate application melded with one malicious library which is in there in the archive. So once the installation process runs, it installs both. The legitimate program and the implant. So for the victim, there is no reason to believe that it's anything malicious.

Dmitry Bestuzhev: And even the website, it's crafted in a way - I mean, the malicious website where it's downloaded from. It's an exact copy of the legitimate website of the vendor and even, like, if you click, let's say, on the chat with the specialist or support it will take you to the real chat. So you'll be speaking with a real tech support team. So that's how it's - like, it's functional for - like, it really works.

Dave Bittner: So what are your recommendations for folks to best protect themselves against this? What do you suggest?

Dmitry Bestuzhev: In this case, I mean, if someone is already infected it's - it's crucial to have full visibility over network traffic. So then to start just probably, like, playing with different strategies. For example, like, to allow only that traffic which is allowed and known as clean. Everything new, unconfirmed, must be analyzed manually.

Dmitry Bestuzhev: Second, and, of course, it's always like that, if you have access to the endpoint and you run an analysis on the endpoint, basically like grabbing the memory [inaudible] analyzing all the events in the system, you can find those implants in your network at the endpoint.

Dmitry Bestuzhev: Another thing is we just released a blog post - it was last week - with rules - detection rules, YARA rules, and Sigma rules. Sigma for behavioral analysis and YARA for file detection. You can use, as well, to run it in your file system or to run it in your computer and just looking for the behaviors. You may also detect those things.

Dmitry Bestuzhev: We also have IOCs publicly available for anyone, like domains, IP addresses, which is a first thing to grab and check with proxy logs and to see if there was any match in the past or today.

Dave Bittner: How do you rate RomCom in terms of their sophistication here? I mean, it seems as though they're well-resourced.

Dmitry Bestuzhev: Yes. It's - it is definitely someone who works for a state. It's a nation-state or an affiliated group to a nation-state. And because of the context, it's someone who works for Russia or in Russia or for the interests of Russia.

Dmitry Bestuzhev: So imagine, like, using a zero-day in one of the campaigns which happened just - just about 40 days ago. It means the group itself is sophisticated because it's not only about having access to those exploits, it's about using them in the wild. Even assuming the risk that probably -- oh, highly likely the operation will be discovered, like, all the artifacts will be recovered and analyzed.

Dmitry Bestuzhev: So that's someone who's ready even to burn the exploit. So it means the interests, the motivation behind it, is high. And the fact that now they're using zero-days is also - it proves - it shows that it's someone who's - it's a nation-state.

Dave Bittner: Our thanks to Dmitry Bestuzhev from Blackberry for joining us. The research is titled "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine." We'll have a link in the show notes.

Dave Bittner: The CyberWire "Research Saturday" podcast is a production of N2K networks. Proudly produced in Maryland out of the startup studios of DataTribe where they're cobuilding the next generation of cyber security teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Elliott Peltzman. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.