Void Rabisu's RomCom Backdoor Reveals Shifting Threat Actor Goals

Written by

The hacking group known as Void Rabisu has deployed a new backdoor called RomCom. According to security researchers at Trend Micro, the sophisticated tool sheds light on the group’s evolving objectives and marks a significant shift in tactics.

“Void Rabisu was believed to be financially motivated, even though its associated Cuba ransomware allegedly attacked the parliament of Montenegro in August 2022, which could be considered part of a geopolitical agenda,” reads an advisory published on Tuesday.

Read more on this malware campaign: Ukraine Warns of Cuba Ransomware Campaign

“The motives of Void Rabisu seem to have changed since at least October 2022 [...]. In a campaign in December 2022, a fake version of the Ukrainian army’s Delta situational awareness website was used to lure targets into installing the RomCom backdoor.”

Based on these attacks, the security experts theorized that Void Rabisu’s adoption of the RomCom backdoor might indicate their desire to diversify their activities.

While their previous operations were centered on data exfiltration and intelligence collection, the use of this new tool suggests an interest in sabotage, disruption or even financial gain.

“Even though we cannot confirm coordination between the different attacks, Ukraine and countries who support Ukraine are being targeted by various actors, like APT actors, hacktivists, cyber mercenaries and cybercriminals like Void Rabisu,” reads the advisory.

The RomCom backdoor can reportedly bypass traditional defense mechanisms. It infiltrates systems under the guise of innocent romantic comedy files, then enables unauthorized access, granting the hackers a gateway to conduct various activities.

“The line is blurring between cybercrime driven by financial gain and APT attacks motivated by geopolitics, espionage, disruption, and warfare. Since the rise of Ransomware-as-a-Service (RaaS), cybercriminals are now using advanced tactics and targeted attacks that were previously thought to be the domain of APT actors,” wrote Trend Micro.

“Inversely, tactics and techniques that were previously used by financially motivated actors are increasingly being used in attacks with geopolitical goals.”

What’s hot on Infosecurity Magazine?