New RomCom Backdoor Targets Female Political Leaders

Written by

Japanese cybersecurity provider Trend Micro has uncovered a new malicious campaign targeting female political leaders and attendees of the Women Political Leaders (WPL) Summit held in Brussels in June 2023.

The treat actors, Void Rabisu, started deploying a new version of its RomCom backdoor – which Trend Micro tracks as RomCom 4.0 and Microsoft as Peapod – in early August 2023, Trend Micro reported in a malware analysis published on October 13.

The backdoor payload was hidden in a malicious copy of the official website of the WPL Summit, which aims to improve gender equality in politics.

“While the ‘Videos & photos’ link of the legitimate domain redirects visitors to a Google Drive folder containing photographs from the event, the wplsummit[.]com fake website directed visitors to a OneDrive folder containing two compressed files and an executable called Unpublished Pictures 1-20230802T122531-002-sfx.exe. The latter file appears to be a piece of malware,” reads the Trend Micro report.

Pictures dropped by the malware downloader from the event were gathered by the threat actor from various social media postings. Source: Trend Micro
Pictures dropped by the malware downloader from the event were gathered by the threat actor from various social media postings. Source: Trend Micro

This tactic is similar to a previous Void Rabisu campaign in June, where the group used the Ukrainian World Congress and the July 2023 NATO summit as lures to deploy a zero-day exploit based on the CVE-2023-36884 vulnerability, a remote code execution flaw in Office and Windows HTML. This campaign was reported by Microsoft in July.

Additionally, Trend Micro noted that Void Rabisu is using a new technique in its latest campaigns that has not previously been reported on.

The technique involves a TLS-enforcing technique by the RomCon command-and-control (C2) servers that can render the automated discovery of RomCom infrastructure more difficult.

“We observed Void Rabisu using this technique in a May 2023 RomCom campaign that spread a malicious copy of the legitimate PaperCut software, in which the C2 server ignored requests that were not conformant,” reads the Trend Micro analysis.

Who Is Void Rabisu?

Void Rabisu, also known as Storm-0978, Tropical Scorpius, and UNC2596, is a hybrid threat actor conducting financially motivated and espionage attacks.

The group was first identified in early 2022 but is believed to have been active for longer than that.

It was initially considered a financially motivated threat actor because of its associated Cuba ransomware.

However, in August 2022, Cuba ransomware was involved in an attack targeting the parliament of Montenegro. This led security researchers to assume the group was pursuing a geopolitical agenda.

This hypothesis was later confirmed as Void Rabisu started targeting the Ukrainian government and military, their energy and water utility sectors as well as EU politicians and government spokespersons.

"Void Rabisu is one of the clearest examples where we see a mix of the typical tactics, techniques, and procedures (TTPs) used by cybercriminal threat actors and TTPs used by nation-state-sponsored threat actors motivated primarily by espionage goals," Trend Micro said.

Read more: Void Rabisu's RomCom Backdoor Reveals Shifting Threat Actor Goals

What’s hot on Infosecurity Magazine?