Go to listing page

Void Rabisu Targets Women Political Leaders with New RomCom 4.0 Variant

Void Rabisu Targets Women Political Leaders with New RomCom 4.0 Variant
Researchers came across a new, lightweight variant of the RomCom backdoor that has been used in a cyberespionage campaign targeting the participants of the Women Political Leaders (WPL) Summit held in Brussels from June 7–8. The new iteration (tracked as RomCom 4.0) was first observed in early August and has been attributed to Void Rabisu, a financially motivated threat actor group that recently shifted its focus to geopolitical espionage campaigns on Ukraine and EU countries.

A glance at the recent campaign

In August, attackers created a fake website, wplsummit[.]com, mimicking the official WPL portal to trick people seeking to attend or interested in the summit. 
  • The fake site was linked to a malicious OneDrive folder through the “Videos & Photos’ button. 
  • This folder contained two compressed files and a malware downloader named “Unpublished Pictures.” 
  • While two compressed files redirected visitors to the original photos from the event, the malware downloader appeared to be an executable file signed by Elbor LLC to look legitimate.
  • When executed, the malware downloader extracted 56 pictures collected randomly by threat actors from individual posts on various social media platforms. 
  • While the victim is distracted by the pictures, the downloader sends an HTTP GET request to download further malware payloads.

About RomCom 4.0 

According to researchers, the latest variant has undergone some significant changes in its architecture, making it lighter and stealthier.
  • Unlike the previous variant that included 42 commands, RomCom 4.0 supports only 10 commands to perform a wide range of malicious activities on victims’ systems. 
  • Furthermore, it incorporates new features related to TLS 1.2 to provide secure communication with the C2 server.

Conclusion

It is to be noted that threat actors are still developing the malware, adding new modules as needed to the core component to expand their targets. The addition of the new modules can make it difficult for security experts to detect the backdoor. Organizations are advised to stay protected by staying updated on the RomCom attack trends and making use of the IoCs shared by Trend Micro.
Cyware Publisher

Publisher

Cyware