Go to listing page

Void Rabisu Group Uses RomCom for Geopolitical Attacks

Void Rabisu Group Uses RomCom for Geopolitical Attacks
Recent attacks by Void Rabisu indicate that it is now using a backdoor called RomCom, suggesting a shift in motivations from previous ransomware operations. Since October 2022, the group’s goals of this appear to have moved from monetary benefits to geopolitical espionage.

Void Rabisu’s geopolitical attacks 

According to Trend Micro, RomCom campaigns have been active since the summer of 2022. These campaigns have targeted organizations related to Ukraine’s energy and water utility sectors.
  • The attackers used social engineering tactics and content in the Ukrainian language to target the Ukrainian government and military. 
  • The campaign, furthermore, targeted several entities outside of Ukraine, including a local government providing help to Ukrainian refugees, a European defense firm, a parliament member, and different IT service providers in Europe and the U.S.
  • In December 2022, a fake version of the Ukrainian army’s DELTA website was used as a lure to deliver the RomCom backdoor.
  • Additionally, the backdoor was used in campaigns aimed at attendees of the Masters of Digital conference.

Attack tactics

  • The RomCom backdoor is typically distributed through lure sites that appear to be authentic and are used in limited targeting.
  • These sites offer trojanized versions of genuine applications, such as AstraChat and Signal, PDF readers, password managers, and remote desktop apps.
  • Furthermore, the attackers used spear phishing and a Google Ads advertisement that redirects users to a RomCom lure site.

More about RomCom

  • RomCom routinely uses VMProtect to make sandbox analysis challenging and uses binary padding techniques on the payload files to obfuscate them.
  • Moreover, RomCom’s C2 servers are used to download a stealer, identified as StealDeal (aka SneakyStealer). It steals saved credentials and browsing history from web browsers.

Conclusion

To distribute RomCom backdoor, Void Rabisu is using one of the deadliest and most effective attack tactics: social engineering combined with spear-phishing. Since this tactic involves the human factor, no security software can provide full-proof protection against it. Therefore, government and public utility organizations in that region are urged to focus on regular awareness and training programs for their employees.
Cyware Publisher

Publisher

Cyware