Cybersecurity Alert: Ukrainian Politicians and US Healthcare Services Targeted by RomCom Threat Group

The threat actor known as RomCom is concentrating attacks on Ukrainian politicians and the US healthcare sector in an emerging cyberthreat, according to a report by BlackBerry Threat Research.

The threat group is reportedly using sophisticated techniques, including phishing, typosquatting and deploying a trojanized version of Devolutions Remote Desktop Manager.

The perpetrators select victims based on their proximity to and involvement with pro-Ukraine organizations, particularly those helping the refugees fleeing the country's ongoing conflict.

The detailed phishing campaign deployed by RomCom is designed to trick victims into downloading malware via rogue websites that closely mimic the original, legitimate sites.

The attackers have shown adeptness at typosquatting, creating mock sites so convincingly similar to the genuine websites that victims are easily duped into downloading the malicious software.

Once installed, the trojan begins harvesting host and user metadata from the compromised systems and funnels it back to a command-and-control (C2) server controlled by the threat actors.

"Although it is unclear at this point what initial infection vector was used to kick off the execution chain, previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software," reads BlackBerry Research & Intelligence Team's security advisory. "There is a high likelihood that this is the same in this case, as the tactics, techniques, and procedures (TTPs) align."

Particularly alarming is the clear geopolitical motive behind RomCom's actions. Unlike many other cybercriminal groups, which primarily seek financial gain, RomCom seems intent on extracting sensitive information.

This might include military secrets, defensive and offensive strategies, training programs, and other classified data. The threat actors also appear to exploit any previously available information about their targets, such as the software they use, their involvement with social or political programs, and how they utilize their software.

Given the sophistication and evident strategic goals of the RomCom group, it is clear that organizations involved in pro-Ukraine activities, as well as the broader US healthcare sector, need to increase their cybersecurity to protect against these attacks.

"During the course of our investigations, BlackBerry has identified several victims primarily based in Ukraine," the researchers explain. "This aligns with previously seen geolocations targeted by RomCom. We have also observed evidence of at least one target based in the United States. The victims targeted are involved in several dissimilar industries such as Military and Healthcare, united by the common thread of Russia's invasion of Ukraine."

Experts advise people to verify the legitimacy of websites before downloading any software and to be cautious of unexpected emails, even those that appear to come from known contacts.

Specialized software such as Bitdefender Ultimate Security can protect you against phishing attacks, trojans, and other digital threats. Key features include:

• Continuous, all-around detection and protection against viruses, worms, trojans, zero-day exploits, spyware, ransomware, rootkits, and other e-threats
• Anti-phishing module that detects and blocks websites that pose as legitimate ones in order to steal your personal data, credentials, or funds
• Behavioral detection technology that closely monitors active apps on your system and acts instantly upon detecting suspicious behavior
• Network threat prevention module that identifies and blocks suspicious network-level activities, including brute force attacks, malware- and botnet-related URLs, and sophisticated exploits