A financially motivated hacking group turned cyberespionage operation targeted attendees of high-profile European conferences, including the Women Political Leaders Summit in Brussels this past summer.
Safety researchers from TrendMicro say risk actor Void Rabisu – often known as Tropical Scorpius and UNC2596 – has been honing a backdoor in assaults that additionally embrace attendees of the Munich Safety Convention and the Masters of Digital convention. The backdoor, generally known as RomCom, was first spotted by Palo Alto Networks’ Unit 42 in Might 2022. Risk actors additionally deployed the RomCom backdoor in typosquatting assaults focusing on a July NATO summit (see: Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit).
Void Rabisu deploys Cuba ransomware, maybe solely. Risk intel companies say the risk actor shifted in 2022 into operations extra typical of nation-state actors than politically agnostic ransomware hackers. Ukrainian cyber defenders have at the least twice spotted hackers distributing RomCom via spear-phishing assaults.
No proof exists that Void Rabisu is state-sponsored. “It’s possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine,” Development Micro wrote in a Friday weblog publish.
Kremlin observers have lengthy seen hyperlinks between the cybercriminal underground and the Kremlin – connections that deepened within the aftermath of Russia’s initiation of a conflict of conquest in opposition to Ukraine in February 2022.
Void Rabisu baited attendees of the Ladies Political Leaders Summit by organising a duplicate of the reliable web site, solely with a
.com top-level area relatively than the reliable
.org area. Clicking on the “Videos & photos” hyperlink took guests to an OneDrive folder internet hosting an executable file with the string “Unpublished Pictures” in its identify. When executed, it pretends to be a self-extracting archive however in truth extracts dozens of photographs posted from the convention onto social media.
The malware downloads a payload that Development Micro stated is a brand new model of RomCom, often known as Peapod. Void Rabisu stripped its backdoor “down to its core, with additional components being downloaded as needed,” the researchers stated.
Whereas within the background, the malware communicates with a command-and-control server via HTTP, downloading encrypted recordsdata that function in reminiscence, avoiding the disk completely. The RomCom variant additionally forces TLS 1.2, and Development Micro stated it’s not completely positive why. “It is possible that [Void Rabisu] wanted to implement some form of checking on the C&C server side to make C&C fingerprinting harder,” the researchers stated.
Unique Put up URL: https://www.govinfosecurity.com/women-political-leaders-targeted-romcom-rat-variant-a-23323
Date: 2023-10-16 16:46:15