European Union navy personnel and political leaders engaged on gender equality initiatives have emerged because the goal of a brand new marketing campaign that delivers an up to date model of RomCom RAT known as PEAPOD.
Cybersecurity agency Pattern Micro attributed the assaults to a risk actor it tracks underneath the title Void Rabisu, which is also called Storm-0978, Tropical Scorpius, and UNC2596, and can also be believed to be related to Cuba ransomware.
The adversarial collective is one thing of an uncommon group in that it conducts each monetary motivated and espionage assaults, blurring the road between their modes of operation. It is also solely linked to using RomCom RAT.
Assaults involving using the backdoor have singled out Ukraine and international locations that help Ukraine in its warfare towards Russia over the previous 12 months.
Earlier this July, Microsoft implicated Void Rabisu to the exploitation of CVE-2023-36884, a distant code execution flaw in Workplace and Home windows HTML, by utilizing specially-crafted Microsoft Workplace doc lures associated to the Ukrainian World Congress.
RomCom RAT is able to interacting with a command-and-control (C&C) server to obtain instructions and execute them on the sufferer’s machine, whereas additionally packing in protection evasion strategies, marking a gradual evolution in its sophistication.
The malware is usually distributed by way of extremely focused spear-phishing emails and bogus advertisements on engines like google like Google and Bing to trick customers into visiting lure websites internet hosting trojanized variations of official purposes.
“Void Rabisu is among the clearest examples the place we see a mixture of the everyday ways, strategies, and procedures (TTPs) utilized by cybercriminal risk actors and TTPs utilized by nation-state-sponsored risk actors motivated primarily by espionage targets,” Pattern Micro stated.
The most recent set of assaults detected by the corporate in August 2023 additionally ship RomCom RAT, solely it is an up to date and slimmed-down iteration of the malware that is distributed by way of a web site known as wplsummit[.]com, which is a reproduction of the official wplsummit[.]org area.
Current on the web site is a hyperlink to a Microsoft OneDrive folder that hosts an executable named “Unpublished Footage 1-20230802T122531-002-sfx.exe,” a 21.6 MB file that goals to imitate a folder containing images from the Girls Political Leaders (WPL) Summit that befell in June 2023.
The binary is a downloader that drops 56 photos onto the goal system as a decoy, whereas retrieving a DLL file from a distant server. These images are stated to have been sourced by the malicious actor from particular person posts on varied social media platforms equivalent to LinkedIn, X (previously referred to as Twitter), and Instagram.
The DLL file, for its half, establishes contact with one other area to fetch the third-stage PEAPOD artifact, which helps 10 instructions in complete, down from 42 instructions supported by its predecessor.
The revised model is supplied to execute arbitrary instructions, obtain and add recordsdata, get system data, and even uninstall itself from the compromised host. By stripping down the malware to probably the most important options, the concept is to restrict its digital footprint and complicate detection efforts.
“Whereas we’ve no proof that Void Rabisu is nation-state-sponsored, it is doable that it is among the financially motivated risk actors from the felony underground that obtained pulled into cyberespionage actions because of the extraordinary geopolitical circumstances attributable to the warfare in Ukraine,” Pattern Micro stated.
