Void Rabisu Group Uses RomCom for Geopolitical Attacks

Void Rabisu’s geopolitical attacks 

• The attackers used social engineering tactics and content in the Ukrainian language to target the Ukrainian government and military. 
• The campaign, furthermore, targeted several entities outside of Ukraine, including a local government providing help to Ukrainian refugees, a European defense firm, a parliament member, and different IT service providers in Europe and the U.S.
• In December 2022, a fake version of the Ukrainian army’s DELTA website was used as a lure to deliver the RomCom backdoor.
• Additionally, the backdoor was used in campaigns aimed at attendees of the Masters of Digital conference.

Attack tactics

• The RomCom backdoor is typically distributed through lure sites that appear to be authentic and are used in limited targeting.
• These sites offer trojanized versions of genuine applications, such as AstraChat and Signal, PDF readers, password managers, and remote desktop apps.
• Furthermore, the attackers used spear phishing and a Google Ads advertisement that redirects users to a RomCom lure site.

More about RomCom

• RomCom routinely uses VMProtect to make sandbox analysis challenging and uses binary padding techniques on the payload files to obfuscate them.
• Moreover, RomCom’s C2 servers are used to download a stealer, identified as StealDeal (aka SneakyStealer). It steals saved credentials and browsing history from web browsers.

Conclusion