Void Rabisu Shifts Motives for Geopolitical Opportunities
Category: Threat Actor Activity | Industries: Defense, Government, Utilities, Water | Source: Trend Micro
Researchers from Trend Micro have identified a shift in the motives of the cyber mercenary group, Void Rabisu. Previously focused on financial goals, the group has now become geopolitically oriented, targeting Ukraine entities in government, military, energy, and utilities. European and US allies of Ukraine were also in the threat actor's target scope. Trend Micro has observed this shift in objectives since October 2022 and has attributed the activity to Void Rabisu. The attribution is based on the distribution of the RomCom backdoor believed to be associated with the group as well as the utilization of specific tactics, techniques, and procedures (TTPs).
The RomCom backdoor has been continually refined since 2022, to boost the malware's ability to execute commands and evade detection. Notably, the malware implements VMProtect to disrupt both manual and automated sandbox analysis. RomCom has been observed typically masquerades as legitimate or popular software to lure and infect users. While some malware campaigns cast a wide net to increase the odds of an infection, Void Rabisu's use of Google Ads to distribute RomCom is found to be more focused in its targeting. "RomCom has been spread through numerous lure sites that are sometimes set up in rapid bursts. These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult," said Trend Micro. Phishing campaigns were also used to deploy the RomCom backdoor, as European entities in government and defense had been targeted in 2022.
An infection chain in February 2023 was observed when RomCom posed as the AstraChat messaging application. Once the MSI installer was executed, malicious DLL files were extracted and established persistence in the Windows registry. As analyzed by Trend Micro, "RomCom 3.0 is divided into three components: a loader, a network component that interacts with the command-and-control (C&C) server, and a worker component that performs the actions on the victim’s machine." The malware is capable of capturing screenshots on the host, dropping additional data, and cryptocurrency stealing malware. Legitimate software such as AnyDesk remote access software and 7-zip data archive applications could also be dropped by RomCom. As the Russia and Ukraine war continues, cybercrime activity will continue to rise. According to Trend Micro's assessment, "cyber campaigns against Ukraine, Eastern Europe, and NATO countries more visible for two reasons: the number of attacks has increased dramatically, and both the private and public sectors are looking closely at what happens in Ukraine."
- Malicious Software Download via MSI/JS
Anvilogic Use Cases:
- MSIExec Install MSI File
- Suspicious File written to Disk
- Add DLL/EXE Registry Value