Microsoft issues warning about RomCom's latest phishing tactic involving Word documents

In a recent development, cybersecurity giant Microsoft has issued a warning to organisations worldwide, advising them to block all Office applications from creating child processes. The reason behind this advice is the ongoing phishing campaign by a Russia-aligned cybercriminal and espionage group known as RomCom (also known as Tropical Scorpius or UNC2596).

RomCom, responsible for several high-profile phishing attacks against defence ministries, governments in Europe and North America, the telecommunications sector, and the financial industry, has been exploiting a zero-day vulnerability, CVE-2023-36884, in Microsoft Word documents.

The group, which has been linked to ransomware and extortion activity, as well as targeted credential theft for intelligence operations, is known for using trojanized versions of popular software, including Adobe, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass, and Signal.

The latest campaign, which targets defence industry, government entities, telecom, and financial sectors in Europe and North America, involves specially crafted Microsoft Word documents. These documents, disguised as invitations, were sent from an IP address located in Hungary. The previous campaign, which targeted government and defence organisations in North America and Europe, used lures related to the Ukrainian World Congress.

One of the most notable targets of this latest campaign was the NATO Summit in Lithuania. The emails pretended to be invitations to the event. Last month, RomCom conducted a similar phishing campaign with a fake OneDrive loader, delivering a backdoor similar to RomCom.

It is important to note that RomCom also uses Industrial Spy ransomware during financially motivated attacks. This ransomware was first discovered in the wild in May 2022. The group has also been known to use a fake OneDrive loader to deliver a backdoor similar to RomCom.

Organisations are urged to remain vigilant and strengthen their cybersecurity measures to protect against these types of attacks. By blocking Office applications from creating child processes, organisations can potentially prevent the execution of malicious code that could lead to a compromise.

As the cyber threat landscape continues to evolve, it is crucial for organisations to stay informed and proactive in their cybersecurity efforts. By understanding the tactics, techniques, and procedures of threat actors like RomCom, organisations can better defend against these types of attacks and protect their sensitive data.