Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals
With contributions from Veronica Chierzi and Jayvee Mark Villaroman
Since the start of the war in Ukraine in February 2022, the number of cyber campaigns against Ukraine and North Atlantic Treaty Organization (NATO) countries has increased significantly. These campaigns come from many different angles: known advanced persistent threat (APT) actors, APT actors that were not publicly reported on before, and cyber mercenaries, hacktivists, and criminal actors who appear to have shifted from purely financial motives to geopolitical goals. In the past, these actors had different motivations, mode of operations, and targets, but the line between their campaigns has started to blur: Not only is an overlap in their targeting becoming apparent, but the distinction between their modes of operation is less clear. For instance, in 2022, one of Conti’s affiliates was found to be using its initial access techniques against Ukraine instead of using them to spread ransomware.
Another example of this is Void Rabisu, also known as Tropical Scorpius, an actor believed to be associated with Cuba ransomware and the RomCom backdoor. Because of its many ransomware attacks, Void Rabisu was believed to be financially motivated, even though its associated Cuba ransomware allegedly attacked the parliament of Montenegro in August 2022, which could be considered part of a geopolitical agenda. The motives of Void Rabisu seem to have changed since at least October 2022, when Void Rabisu’s associated RomCom backdoor was reported to have been used in attacks against the Ukrainian government and military: In a campaign in December 2022, a fake version of the Ukrainian army’s DELTA situational awareness website was used to lure targets into installing the RomCom backdoor. Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime.
Trend Micro’s telemetry and research corroborates that the RomCom backdoor has been used in geopolitically motivated attacks since at least October 2022, with targets that included organizations in Ukraine’s energy and water utility sectors. Targets outside of Ukraine were observed as well, such as a provincial local government that provides help to Ukrainian refugees, a parliament member of a European country, a European defense company, and various IT service providers in Europe and the US. Independent research from Google showed that RomCom was being used in campaigns against attendees of the Masters of Digital conference, a conference organized by DIGITALEUROPE, and the Munich Security Conference.
In this blog entry, we will discuss how the use of the RomCom backdoor fits into the current landscape, where politically motivated attacks are not committed by nation-state actors alone. Even though we cannot confirm coordination between the different attacks, Ukraine and countries who support Ukraine are being targeted by various actors, like APT actors, hacktivists, cyber mercenaries, and cybercriminals like Void Rabisu. We will also delve into how RomCom has evolved over time and how the backdoor is spread both by methods that look like APT, as well as methods used by prominent cybercriminal campaigns taking place currently, to show that RomCom is using more detection evasion techniques that are popular among the most impactful cybercriminals.
We assess that RomCom makes use of the same third-party services that are being utilized by other criminal actors as well, like malware signing and binary encryption. RomCom has been spread through numerous lure sites that are sometimes set up in rapid bursts. These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult. Void Rabisu is one of the most evident examples of financially motivated threat actors whose goals and motivations are becoming more aligned under extraordinary geopolitical circumstances, and we anticipate that this will happen more in the future.
RomCom campaigns
We have been tracking RomCom campaigns since the summer of 2022, and since then, have seen an escalation in its detection evasion methods: Not only do the malware samples routinely use VMProtect to make both manual and automated sandbox analysis more difficult, they also utilize binary padding techniques on the payload files. This adds a significant amount of overlay bytes to the files, increasing the size of the malicious payload (we’ve seen a file with 1.7 gigabytes). Additionally, a new routine has been recently added that involves the encryption of the payload files, which can only be decrypted if a certain key is downloaded to activate the payload.
In addition to these technical evasion techniques, RomCom is being distributed using lure sites that often appear legitimate and are being utilized in narrow targeting. This makes automated blocking of these lure websites through web reputation systems harder. Void Rabisu has been using Google Ads to entice their targets to visit the lure sites, similar to a campaign that distributed IcedID botnet in December 2022. A key difference is that while IcedID’s targeting was wider, Void Rabisu probably opted for narrower targeting that Google Ads offers to its advertisers. RomCom campaigns also make use of highly targeted spear phishing emails.
On the RomCom lure sites, targets are offered trojanized versions of legitimate applications, like chat apps such as AstraChat and Signal, PDF readers, remote desktop apps, password managers, and other tools, that are typically used by system administrators.
Read More HERE