The European Union’s military personnel and political leaders involved in gender equality initiatives have become the focal point of a fresh cyber campaign, wherein an updated variant of the RomCom RAT, PEAPOD, is being deployed.
Trend Micro has attributed these attacks to a threat group known as Void Rabisu, also called Storm-0978, Tropical Scorpius, and UNC2596.
There’s a suspected connection to the Cuba ransomware. Notably, this collective is unconventional in engaging in financially motivated and espionage-driven attacks, blurring the lines between their modus operandi.
Furthermore, their activities are exclusively associated with the RomCom RAT.
Details about the Campaign
These attacks, which exploit the RomCom RAT, have primarily targeted Ukraine and nations supporting Ukraine in its conflict with Russia over the past year.
In a recent incident, Microsoft linked Void Rabisu to the exploitation of CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML.
This was achieved through specially crafted Microsoft Office documents tied to the Ukrainian World Congress.
What Damage Could Be Done?
RomCom RAT can communicate with a command-and-control (C&C) server to receive and execute commands on the compromised system. It also incorporates techniques for evading detection, marking a steady progression in sophistication.
The malware is typically disseminated through highly targeted spear-phishing emails and deceptive advertisements on search engines like Google and Bing.
These tricks lure users into visiting compromised sites hosting tampered versions of legitimate applications.
What is Void Rabisu?
Void Rabisu is a prime example of a blend of the usual tactics of cybercriminals and those of nation-state-sponsored actors motivated primarily by espionage.
The most recent attacks detected in August 2023 delivered an updated and streamlined RomCom RAT variant. It was distributed through a website, wplsummit[.]com, which mimicked the legitimate wplsummit[.]org domain.
This website had a link to a Microsoft OneDrive folder housing an executable file named “Unpublished Pictures 1-20230802T122531-002-sfx.exe,” weighing 21.6 MB.
It is masqueraded as a folder containing photos from the Women Political Leaders (WPL) Summit held in June 2023. The binary downloaded 56 decoy pictures onto the target system while retrieving a DLL file from a remote server.
The malicious actor allegedly gathered these pictures from individual posts on various social media platforms, including LinkedIn, X (formerly Twitter), and Instagram.
The DLL file, in turn, established contact with another domain to fetch the third-stage PEAPOD artifact. This artifact supports 10 commands, a reduction from the 42 commands supported by its predecessor.
The revised version can perform arbitrary commands, transfer files, gather system information, and even self-uninstall from the compromised host. Streamlining the malware to its core features minimizes its digital footprint and complicates detection efforts.
Though there is no concrete evidence suggesting that Void Rabisu is sponsored by a nation-state, it’s plausible that it started as a financially motivated cyber threat actor from the criminal underworld.
However, it might have transitioned into cyber espionage activities due to the unique geopolitical circumstances arising from the conflict in Ukraine.
Say NO to All Cyber Crimes!
The deliberate targeting of women political leaders is not only a breach of privacy but a direct assault on democratic values and the principles of gender equality.
We must strongly condemn such attacks and the threat actors behind them, as they pose a severe threat to global stability and security.
It is crucial that governments, organizations, and individuals join forces to enhance cybersecurity measures, protect the privacy and dignity of individuals in the political sphere, and uphold the principles of inclusivity and equality.
Marrium Akhtar
October 17, 2023
7 months ago
