HQ/EMEAFind out how we can help your business
The recent cybercriminal operations from the Void Rabisu group have leveraged the RomCom backdoor. This discovery indicates that the group has transitioned from ransomware operations to other campaigns. Researchers claimed the group focused on conducting geopolitical espionage rather than financially motivated attacks.
Based on reports, the RomCom campaigns peaked in the summer season of last year. The operations based on this backdoor have targeted numerous organisations that had connections to the Ukrainian water and energy utility sector.
Moreover, the threat actors utilised social engineering attacks and lures written in the Ukrainian language to target the Ukrainian military and government. The campaign has compromised multiple entities outside of Ukrainian territory, such as local government organisations that aid Ukrainian refugees.
Some of the most notable attacks that used RomCom are the campaign against a European defence company, a parliament member, and several IT service providers from the United States and Europe. Last year, a RomCom backdoor operation also set up a fake version of the Ukrainian army’s DELTA site to lure numerous targets.
The vector of the RomCom backdoor usually presents itself as a legitimate entity.
According to investigations, the RomCom backdoor commonly propagates through lure websites that appear authentic and focus on specific targets.
These sites usually offer trojanised versions of simple apps like PDF readers, password managers, and remote desktop applications. Furthermore, the threat operators utilised spear phishing and Google Ads ad that redirect targets to a site that contains the RomCom installer.
As of now, the RomCom operators utilise VMProtect to deter sandbox analysis. Some instances have also used binary padding techniques on the payload files to hide the malware. Lastly, the backdoor’s command-and-control servers could download a stealer. The stealer could harvest saved credentials and browsing history from a compromised web browser.
The Void Rabisu group uses social engineering tactics and spear-phishing attacks to distribute the RomCom backdoor. These strategies account for human error; hence, no security software could guarantee a company complete protection.
Public utility organisations and government entities should invest more in training employees to spot such activities and spread awareness to mitigate such malicious tactics.
