October 15, 2023 at 01:53PM
A lightweight variant of the RomCom backdoor was used to target participants of the Women Political Leaders Summit in Brussels. The attackers created a fake website to lure attendees, and the new variant of RomCom employs a stealthier backdoor with a TLS-enforcement technique to make detection more difficult. This attack indicates a shift from opportunistic ransomware attacks to high-level cyberespionage, exploiting zero-day vulnerabilities in Microsoft products. Trend Micro warns that similar conferences should exercise caution when visiting event websites.
Meeting Takeaways:
– A new variant of the RomCom backdoor was used in a cyberespionage campaign targeting participants of the Women Political Leaders (WPL) Summit in Brussels.
– The attackers set up a fake website mimicking the official WPL portal to lure people interested in the summit.
– The new variant of RomCom, called RomCom 4.0 or ‘Peapod,’ is a lighter and stealthier version of the malware, supporting only ten commands compared to the previous version’s 42.
– Instead of using modified MSIs, the new variant leverages an EXE file to fetch XOR-encrypted DLLs, loading all its components in memory.
– The malware incorporates new features related to Transport Layer Security (TLS), forcing WinHTTP functions to use TLS version 1.2 for communication with the command and control server.
– The attackers behind Void Rabisu, the group using RomCom, have shifted from opportunistic ransomware attacks to high-level cyberespionage involving the exploitation of zero-day vulnerabilities in Microsoft products.
– Trend Micro suggests that Void Rabisu is likely to target all big conferences related to special interest groups, so caution is advised when visiting event sites.