RomCom Malware Group Targets EU Gender Equality Summit
A hacker group that continues to extend its reach from financially motivated attacks into cyber-espionage this summer targeted attendees of a gender equality conference with a pared-down version of the RomCom remote access trojan (RAT).
Void Rabisu – also known as Tropical Scorpius, Storm-0978, and UNC2596 – in August leveraged the fourth version of the RomCom backdoor in its campaign against some of the people at the Women Political Leaders (WPL) Summit in Brussels in June, according to researchers with cybersecurity firm Trend Micro.
The summit addressed a range of issues, from war and peace to the role of women in politics, Trend Micro senior threat researchers Feike Hacquebord and Fernando Merces wrote in a report, adding that it appears the campaign was aimed at people working on gender equality in politics in the European Union (EU).
“Since many current and future political leaders had attended this conference, it presented an interesting target for espionage campaigns and served as a possible avenue for threat actors to gain an initial foothold in political organizations,” Hacquebord and Merces wrote. “It is therefore not surprising that Void Rabisu set up a campaign targeting WPL Summit 2023 attendees.”
From Ransomware to Espionage
It’s also the latest evidence of the group’s continued expansion into cyber-espionage. Void Rabisu was known for financially driven ransomware attacks as well as attacks on government, military, energy, and water operations in Ukraine, EU politicians and government spokespeople, and participants at a security conference.
In June, the group was detected exploiting a remote code execution (RCE) flaw in Windows Search – tracked as CVE-2023-36884 – in campaigns that used the Ukrainian World Congress and July 2023 NATO summit as lures, the researchers wrote, adding that “the extraordinary geopolitical circumstances surrounding the war in Ukraine drives some of the financial-seeking threat actors (including Void Rabisu) toward campaigns motivated by espionage.”
Void Rabisu – which also is linked to the Cuba ransomware – uses a mix of tactics, techniques, and procedures (TTPs) used by cybercriminals and TTPs that are used by nation state-sponsored hackers. The group isn’t alone. Other threat actors also are positioned in both cybercrime and cyber-espionage. For example, cybersecurity firms Proofpoint – in 2022 – and ESET in June highlighted a the dual role being played by a group called Asylum Ambuscade.
Targeting the WPL Summit
Trend Micro focused on the Void Rabisu campaign against WPL Summit attendees, noting that it used the latest iteration of the RomCom RAT – version 4.0 – dubbed PeaPod. In early August, the group created a malicious copy of the WPL Summit’s site that looked exactly like the official one.
The legitimate site included a “Videos & photos” link that redirects users to a Google Drive folder containing photos from the event. The fake site instead linked users to a OneDrive folder that included two compressed files and an executable alleged to contain unpublished pictures from the summit, which really was a piece of malware.
“When executed, it pretends to be a self-extracting (SFX) archive and extracts 56 pictures from its resource section to a folder when the user selects the ‘Extract’ button,” the researchers wrote, adding that they include photos gathered by the hackers from such sites as LinkedIn, X (nee Twitter), and Instagram. As the target peruses the photos, the malware pulls in a DLL file from a remote server.
A Smaller, Lighter RomCom Version
PeaPod has some significant architectural differences from RomCom 3.0, according to Trend Micro. Key among them is that PeaPod is smaller. While 3.0 includes 42 commands handled by its worker component, PeaPod supports 10 commands, seven of which are handled by the network component and three by the worker component.
The commands include uploading and downloading files, getting system information such as username, processor data, and local time, and uninstalling itself.
Trend Micro’s Hacquebord and Merces wrote that Void Rabisu appears to have stopped – at least temporarily – using RomCom 3.0 in order to deliver PeaPod. The group also is continuing to develop the RomCom backdoor, even a year after moving away from ransomware in favor of cyber-spying.
“The backdoor being stripped down to its core, with additional components being downloaded as needed, provides Void Rabisu the choice of loading additional components for specific targets,” they wrote. “From the attacker’s perspective, this has the advantage of less exposure for the additional components, making it more difficult to collect for malware researchers.”
Void Rabisu also is using a technique in its more recent campaigns that it hadn’t used earlier. The TLS-enforcing technique by the RomCom command-and-control (C2) servers that makes the automated discovery of the backdoor’s infrastructure more difficult. The group used the technique in May, when is spread a malicious copy of legitimate PaperCut software. The C2 server ignored requests that didn’t conform with its rules.
The WPL Summit wasn’t the first conference targeted by Void Rabisu and likely won’t be the last. It came in the wake of attacks on two others, the Munich Security Conference and the Masters of Digital event.
“It is possible, and even expected, that other conferences and special interest groups will be targeted by Void Rabisu in the future,” the researchers wrote.
