Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Social Engineering
Researchers Attribute Campaign to Threat Actor Tracked as Void Rabisu
A financially motivated hacking group turned cyberespionage operation targeted attendees of high-profile European conferences, including the Women Political Leaders Summit in Brussels this past summer.
See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations
Security researchers from TrendMicro say threat actor Void Rabisu – also known as Tropical Scorpius and UNC2596 – has been honing a backdoor in attacks that also include attendees of the Munich Security Conference and the Masters of Digital conference. The backdoor, known as RomCom, was first spotted by Palo Alto Networks’ Unit 42 in May 2022. Threat actors also deployed the RomCom backdoor in typosquatting attacks targeting a July NATO summit (see: Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit).
Void Rabisu deploys Cuba ransomware, perhaps exclusively. Threat intel firms say the threat actor shifted in 2022 into operations more typical of nation-state actors than politically agnostic ransomware hackers. Ukrainian cyber defenders have at least twice spotted hackers distributing RomCom through spear-phishing attacks.
No evidence exists that Void Rabisu is state-sponsored. “It’s possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine,” Trend Micro wrote in a Friday blog post.
Kremlin observers have long seen links between the cybercriminal underground and the Kremlin – connections that deepened in the aftermath of Russia’s initiation of a war of conquest against Ukraine in February 2022.
Void Rabisu baited attendees of the Women Political Leaders Summit by setting up a copy of the legitimate website, only with a .com
top-level domain rather than the legitimate .org
domain. Clicking on the “Videos & photos” link took visitors to an OneDrive folder hosting an executable file with the string “Unpublished Pictures” in its name. When executed, it pretends to be a self-extracting archive but in fact extracts dozens of photos posted from the conference onto social media.
The malware downloads a payload that Trend Micro said is a new version of RomCom, also known as Peapod. Void Rabisu stripped its backdoor “down to its core, with additional components being downloaded as needed,” the researchers said.
While in the background, the malware communicates with a command-and-control server through HTTP, downloading encrypted files that operate in memory, avoiding the disk entirely. The RomCom variant also forces TLS 1.2, and Trend Micro said it’s not entirely sure why. “It is possible that [Void Rabisu] wanted to implement some form of checking on the C&C server side to make C&C fingerprinting harder,” the researchers said.