October 13, 2023 at 11:24AM
A new cyber attack campaign called PEAPOD has targeted EU military personnel and political leaders working on gender equality. Cybersecurity firm Trend Micro has attributed the attacks to a threat actor known as Void Rabisu, which is associated with Cuba ransomware. The group conducts both financial motivated and espionage attacks, primarily using the RomCom RAT. The attacks have singled out Ukraine and its supporters. The malware is distributed through spear-phishing emails and fake ads on search engines, and the latest attacks feature an updated and slimmed-down version of the malware distributed through a replica website. The objective is to limit detection efforts. While it is unclear whether Void Rabisu is nation-state-sponsored, Trend Micro believes it could be one of the financially motivated threat actors drawn into cyberespionage due to the situation in Ukraine.
Key Takeaways from Meeting Notes:
– The European Union military personnel and political leaders working on gender equality initiatives have been targeted by a new cyber attack campaign using an updated version of RomCom RAT called PEAPOD.
– The attacks have been attributed to a threat actor known as Void Rabisu, also known as Storm-0978, Tropical Scorpius, and UNC2596. Void Rabisu is believed to be associated with Cuba ransomware and conducts both financially motivated and espionage attacks.
– RomCom RAT is distributed through highly targeted spear-phishing emails and bogus ads on search engines. It can interact with a command-and-control server, execute commands, and employs defense evasion techniques.
– Void Rabisu has been implicated in the exploitation of CVE-2023-36884, a remote code execution flaw in Office and Windows HTML, by using specially-crafted Microsoft Office document lures related to the Ukrainian World Congress.
– The latest attacks in August 2023 deliver an updated and slimmed-down version of RomCom RAT, distributed through a replica website called wplsummit[.]com. The malware disguises itself as a folder containing photos from the Women Political Leaders (WPL) Summit.
– The malware drops decoy photos on the target system while retrieving a DLL file from a remote server. The DLL file establishes contact with another domain to fetch the third-stage PEAPOD artifact, equipped with 10 commands.
– Void Rabisu is a rare example of a threat actor that combines the tactics, techniques, and procedures (TTPs) used by both cybercriminals and nation-state-sponsored threat actors.
– While there is no evidence that Void Rabisu is nation-state-sponsored, it is possible that the financial motivation of the group led them to engage in cyberespionage activities due to the geopolitical circumstances caused by the war in Ukraine.
– For more exclusive content, follow the company on Twitter and LinkedIn.