October 13, 2023 at 03:59AM
Void Rabisu, a threat actor associated with financially motivated ransomware attacks, has shifted its focus to targeted campaigns on Ukraine and countries supporting Ukraine. They have developed a new variant called ROMCOM, which they used in campaigns targeting EU military personnel and political leaders working on gender equality initiatives. The ROMCOM backdoor has undergone various developments over time, including the use of more effective detection evasion techniques. Void Rabisu uses a mix of tactics commonly associated with cybercriminals and nation-state-sponsored threat actors.
Based on the meeting notes, here are the key takeaways:
1. Void Rabisu is a threat actor that has shifted its focus from opportunistic ransomware attacks to targeted campaigns with an emphasis on cyberespionage.
2. Void Rabisu has targeted various entities, including the Ukrainian government and military, energy and water utility sectors, EU politicians, spokespersons of a certain EU government, and participants of security conferences.
3. The ROMCOM backdoor is the main malware used by Void Rabisu, and it has undergone various developments over time to enhance detection evasion techniques.
4. Void Rabisu uses a mix of tactics, techniques, and procedures (TTPs) commonly associated with both cybercriminal threat actors and nation-state-sponsored threat actors.
5. The threat actor signs its malware with certificates purchased from a third-party service provider, which indicates their association with other cybercriminal groups.
6. Void Rabisu employs malicious advertisements on Google and Bing to generate search engine traffic to their lure sites that contain malicious software.
7. Void Rabisu targets governments and military, behaving like an advanced persistent threat (APT) actor.
8. Void Rabisu has exploited zero-day vulnerabilities, such as CVE-2023-36884, to carry out its campaigns.
9. The threat actor recently targeted attendees of the Women Political Leaders (WPL) Summit by setting up a fake website and distributing a new version of the ROMCOM backdoor called “ROMCOM 4.0” or “PEAPOD.”
10. Void Rabisu has started using a TLS-enforcing technique by the ROMCOM C&C servers to make automated discovery of their infrastructure more difficult.
11. The PEAPOD malware shows architectural differences compared to the previous ROMCOM version, including changes in dropper types, modularity, inter-process communication, and supported commands.
12. It is suggested that Void Rabisu may be a financially motivated threat actor that was drawn into cyberespionage activities due to the geopolitical circumstances caused by the war in Ukraine.
13. Void Rabisu has targeted multiple conferences in 2023, and it is expected that they will continue targeting conferences and special interest groups in the future.
These takeaways provide an overview of Void Rabisu’s activities, tactics, and techniques, as well as its specific targeting of conference attendees and political leaders. It is important to stay vigilant and implement necessary cybersecurity measures to protect against such threats.