HQ/EMEAFind out how we can help your business
The Void Rabisu threat group has leveraged a new version of the RomCom backdoor to execute a cyberespionage operation that targets Women Political Leaders (WPL) Summit participants in Brussels from June 7 to 8.
This latest iteration of the backdoor is called RomCom 4.0, which researchers initially spotted a couple of months ago. The financially motivated threat group, Void Rabisu, is the primary culprit of the hack after it recently transitioned its focus towards geopolitical espionage activities that target Ukraine and EU countries.
Void Rabisu has spread the RomCom backdoor through a fake website that lured women leaders who wanted to attend WPL.
A few months ago, the RomCom backdoor operators developed the fake website, wplsummit[.]com, which impersonated the official WPL portal to deceive those female individuals who seek to attend or show interest in the summit.
The fake website developers connected it to a malicious OneDrive folder through the “Videos & Photos” button. This folder stored a couple of compressed files and a malware downloader called “Unpublished Pictures.”
While the two compressed files redirected visitors to legitimate event photos, the malware downloader disguised itself as a legitimate executable file signed by Elbor LLC. Subsequently, the malware downloader will extract 56 pictures randomly gathered from individual posts on various social media platforms after successful execution. While the images distract the victim, the downloader dispatches an HTTP GET request to acquire additional malware payloads.
According to investigations, the latest variant has undergone several architectural modifications, rendering it lighter and more discreet in attacks. In contrast to the previous version, which featured 42 commands, RomCom 4.0 now supports only ten orders to execute various malicious activities on victims’ systems. Moreover, it includes new features related to TLS 1.2 to ensure secure communication with the command-and-control server.
The threat actors have continued to develop this malware by adding new modules as necessary to the core component. Hence, the latest upgrades can complicate security solutions’ task in detecting the backdoor.
Organisations should stay vigilant and remain updated about the RomCom attack trends while utilising available IoCs in the public.
