European Union navy personnel and political leaders engaged on gender equality initiatives have emerged because the goal of a brand new marketing campaign that delivers an up to date model of RomCom RAT known as PEAPOD.
Cybersecurity agency Pattern Micro attributed the assaults to a risk actor it tracks underneath the identify Void Rabisu, which is also called Storm-0978, Tropical Scorpius, and UNC2596, and can be believed to be related to Cuba ransomware.
The adversarial collective is one thing of an uncommon group in that it conducts each monetary motivated and espionage assaults, blurring the road between their modes of operation. It is also completely linked to the usage of RomCom RAT.
Assaults involving the usage of the backdoor have singled out Ukraine and nations that help Ukraine in its conflict in opposition to Russia over the previous 12 months.
Earlier this July, Microsoft implicated Void Rabisu to the exploitation of CVE-2023-36884, a distant code execution flaw in Workplace and Home windows HTML, by utilizing specially-crafted Microsoft Workplace doc lures associated to the Ukrainian World Congress.
RomCom RAT is able to interacting with a command-and-control (C&C) server to obtain instructions and execute them on the sufferer’s machine, whereas additionally packing in protection evasion strategies, marking a gradual evolution in its sophistication.
The malware is often distributed by way of extremely focused spear-phishing emails and bogus advertisements on serps like Google and Bing to trick customers into visiting lure websites internet hosting trojanized variations of respectable purposes.
“Void Rabisu is among the clearest examples the place we see a mixture of the standard techniques, strategies, and procedures (TTPs) utilized by cybercriminal risk actors and TTPs utilized by nation-state-sponsored risk actors motivated primarily by espionage targets,” Pattern Micro stated.
The newest set of assaults detected by the corporate in August 2023 additionally ship RomCom RAT, solely it is an up to date and slimmed-down iteration of the malware that is distributed by way of a web site known as wplsummit[.]com, which is a duplicate of the respectable wplsummit[.]org area.
Current on the web site is a hyperlink to a Microsoft OneDrive folder that hosts an executable named “Unpublished Photos 1-20230802T122531-002-sfx.exe,” a 21.6 MB file that goals to imitate a folder containing photographs from the Girls Political Leaders (WPL) Summit that befell in June 2023.
The binary is a downloader that drops 56 photos onto the goal system as a decoy, whereas retrieving a DLL file from a distant server. These photographs are stated to have been sourced by the malicious actor from particular person posts on numerous social media platforms reminiscent of LinkedIn, X (previously often called Twitter), and Instagram.
The DLL file, for its half, establishes contact with one other area to fetch the third-stage PEAPOD artifact, which helps 10 instructions in whole, down from 42 instructions supported by its predecessor.
The revised model is supplied to execute arbitrary instructions, obtain and add recordsdata, get system data, and even uninstall itself from the compromised host. By stripping down the malware to probably the most important options, the concept is to restrict its digital footprint and complicate detection efforts.
“Whereas we now have no proof that Void Rabisu is nation-state-sponsored, it is attainable that it is among the financially motivated risk actors from the prison underground that received pulled into cyberespionage actions as a result of extraordinary geopolitical circumstances brought on by the conflict in Ukraine,” Pattern Micro stated.