Microsoft is warning about a phishing campaign from the threat actor known as RomCom that is targeting the defense industry and government entities in Europe and North America.
Attacks have also targeted the telecom and financial sectors.
RomCom is abusing a zero-day vulnerability, CVE-2023-36884, involving specially crafted Microsoft Word documents.
Just last month, the hackers conducted a phishing campaign with a fake OneDrive loader to deliver a backdoor that had similarities to RomCom. The emails targeted government and defense organizations in North America and Europe using lures related to the Ukrainian World Congress.
The emails pretended to be invitations to the current NATO Summit in Lithuania.
Researchers at BlackBerry reported the group sent malicious emails targeting the NATO Summit in Lithuania. Malicious documents were sent from an IP address in Hungary.
The Russia-based cybercriminal group, which Microsoft calls Storm-0978, is known for opportunistic ransomware and extortion activity as well as targeted credential theft to support intelligence operations.
The threat actor uses trojanized versions of popular software — including products from Adobe, Advanced IP Scanner, SolarWinds Network Performance Monitor, SolarWinds Orion, KeePass and Signal — to install RomCom backdoors.
The hackers also use Industrial Spy ransomware during financially motivated attacks. This ransomware was first discovered in the wild in May 2022.
Microsoft said organizations should block all Office applications from creating child processes.