A brand new, light-weight variant of the RomCom backdoor was deployed towards contributors of the Ladies Political Leaders (WPL) Summit in Brussels, a summit specializing in gender equality and girls in politics.
The marketing campaign used a pretend web site mimicking the official WPL portal to bait folks searching for to attend or just within the summit.
A Pattern Micro report analyzing the brand new variant warns that its operators, tracked by the agency as ‘Void Rabisu,’ have been utilizing a stealthier backdoor with a brand new TLS-enforcement method within the C2 (command and management) communications to make discovery more durable.
Additionally, the newest assault cements the group’s shift from opportunistic ransomware assaults beforehand attributed to a Cuba ransomware affiliate to high-level cyberespionage marketing campaign involving the exploitation of zero-day vulnerabilities in Microsoft merchandise.
Focusing on ladies political leaders
In August 2023, Void Rabisu arrange a malicious web site on the deal with ‘wplsummit[.]com’, designed to mimic the actual Ladies Political Leaders (WPL) web site hosted on wplsummit.org.
Supply: Pattern Micro
The pretend website linked to a OneDrive folder by way of a button named ‘Movies & images,’ which contained photos from the 2 days of the occasion, taken from the real website, and a malware downloader named ‘Unpublished Footage.’
The malicious executable is signed by an Elbor LLC certificates and is a self-extracting archive containing 56 images to behave as decoys, whereas a second encrypted file is downloaded from a distant host.
Supply: Pattern Micro
The second payload is a DLL that’s decrypted and loaded into reminiscence to evade detection and continues to fetch further parts required for establishing communication with the attacker’s server.
Supply: Pattern Micro
RomCom 4.0
Pattern Micro identifies the newest, stripped-down variant of RomCom because the fourth main launch of the backdoor, explaining that it is the similar malware Volexity researchers just lately named ‘Peapod.’
In comparison with RomCom 3.0, the earlier model seen in Void Rabisu operations, the brand new backdoor variant has undergone important adjustments, making it lighter and stealthier.
It now helps solely the next ten instructions, a stark discount from the earlier 42.
- No motion – Dealing with perform returns zero; malware waits for the subsequent command.
- Run command – Executes a command and sends again its output.
- Add file – Uploads a file to the compromised machine.
- Obtain file – Retrieves a file from the contaminated machine.
- Run command – Executes a given command.
- Replace interval – Modifies backdoor test frequency (default 60 seconds) and updates the system registry.
- Get system data – Retrieves RAM, processor, native time, and username.
- Replace community part – Updates information for the community part within the Home windows registry.
- Uninstall – Purges related registry keys and deletes related recordsdata.
- Get service identify from the Home windows registry
Additionally, as an alternative of using modified MSIs to drop its parts onto units straight, the brand new variant leverages an EXE file to fetch XOR-encrypted DLLs, loading all its parts in reminiscence.
RomCom 4.0 has additionally integrated new options associated to Transport Layer Safety (TLS), a protocol designed to supply safe communication with the C2 server.
The malware has been coded to drive WinHTTP capabilities to particularly use the TLS model 1.2 moderately than permitting the working system to decide on the default TLS model.
Supply: Pattern Micro
This enforcement system ends in an error on Home windows 7, which Pattern Micro considers protected towards the most recent RomCom variant.
The aim of this mechanism is prone to make C2 communication extra immune to snooping, complicate automated discovery, and probably enable attackers to filter out unsuitable victims.
Usually, Void Rabisu’s techniques and the deployment of the RomCom malware stay cloudy.
Nonetheless, it’s clear that the backdoor’s growth continues to be ongoing, and its operators are more and more centered on top-level cyber espionage.
Pattern Micro concludes that it is vitally seemingly that Void Rabisu will goal all massive conferences associated to particular curiosity teams, so warning is suggested when visiting occasion websites.
