Trend Micro details Void Rabisu hackers that use RomCom backdoor, showing growing shift in goals

Trend Micro researchers released details on Void Rabisu, also known as Tropical Scorpius, a malicious actor believed to be associated with Cuba ransomware and the RomCom backdoor. Due to its many ransomware attacks, Void Rabisu was believed to be financially motivated, even though its associated Cuba ransomware allegedly attacked the parliament of Montenegro in August 2022, which could be considered part of a geopolitical agenda. 

Additionally, the use of the RomCom backdoor in recent attacks demonstrates how Void Rabisu’s motives seem to have changed since at least October 2022, even though the adversaries were previously believed to be motivated by financial gain due to their ransomware attacks. The researchers assess that Void Rabisu is one of the most evident examples of financially motivated threat actors whose goals and motivations are becoming more aligned under extraordinary geopolitical circumstances.

Trend Micro’s telemetry and research corroborate that the RomCom backdoor has been used in geopolitically motivated attacks since at least October 2022, with targets that included organizations in Ukraine’s energy and water utility sectors, researchers revealed in a blog post on Tuesday. “Targets outside of Ukraine were observed as well, such as a provincial local government that provides help to Ukrainian refugees, a parliament member of a European country, a European defense company, and various IT service providers in Europe and the US.” 

“Among the targets we have seen based on Trend Micro’s telemetry were a water utility company, entities in the financial and energy sectors, and an IT company in Ukraine,” the researchers said. “Outside Ukraine, other targets included a local government agency that supports Ukrainian refugees, a defense company in Europe, a high-profile European politician, several IT service providers in Europe and the US, a bank in South America, and a couple of targets located in Asia. Combined with the targets that were published by CERT-UA and Google, a clear picture emerges of the RomCom backdoor’s targets: select Ukrainian targets and allies of Ukraine.”

The researchers added that independent research from Google showed that RomCom was being used in campaigns against attendees of the Masters of Digital conference, a conference organized by DIGITALEUROPE, and the Munich Security Conference.

“The motives of Void Rabisu seem to have changed since at least October 2022, when Void Rabisu’s associated RomCom backdoor was reported to have been used in attacks against the Ukrainian government and military: In a campaign in December 2022, a fake version of the Ukrainian army’s DELTA situational awareness website was used to lure targets into installing the RomCom backdoor,” Trend Micro researchers said. “Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime.”

Trend Micro outlines how using the RomCom backdoor fits into the current landscape, where politically motivated attacks are not committed by nation-state actors alone. “Even though we cannot confirm coordination between the different attacks, Ukraine and countries who support Ukraine are being targeted by various actors, like APT actors, hacktivists, cyber mercenaries, and cybercriminals like Void Rabisu. We will also delve into how RomCom has evolved over time and how the backdoor is spread both by methods that look like APT, as well as methods used by prominent cybercriminal campaigns taking place currently, to show that RomCom is using more detection evasion techniques that are popular among the most impactful cybercriminals,” the post added. 

The researchers also assess that RomCom makes use of the same third-party services that are being utilized by other criminal actors as well, like malware signing and binary encryption. “RomCom has been spread through numerous lure sites that are sometimes set up in rapid bursts. These lure sites are most likely only meant for a small number of targets, thus making discovery and analysis more difficult.” 

Trend Micro has been tracking RomCom campaigns since the summer of 2022, and since then, has seen an escalation in its detection evasion methods: “Not only do the malware samples routinely use VMProtect to make both manual and automated sandbox analysis more difficult, they also utilize binary padding techniques on the payload files. This adds a significant amount of overlay bytes to the files, increasing the size of the malicious payload (we’ve seen a file with 1.7 gigabytes).” 

They also noticed that a new routine has been recently added that involves the encryption of the payload files, which can only be decrypted if a certain key is downloaded to activate the payload.

“In addition to these technical evasion techniques, RomCom is being distributed using lure sites that often appear legitimate and are being utilized in narrow targeting. This makes automated blocking of these lure websites through web reputation systems harder,” the post detailed. “Void Rabisu has been using Google Ads to entice their targets to visit the lure sites, similar to a campaign that distributed IcedID botnet in December 2022. A key difference is that while IcedID’s targeting was wider, Void Rabisu probably opted for narrower targeting that Google Ads offers to its advertisers. RomCom campaigns also make use of highly targeted spear phishing emails.”

On the RomCom lure sites, targets are offered trojanized versions of legitimate applications, like chat apps such as AstraChat and Signal, PDF readers, remote desktop apps, password managers, and other tools that are typically used by system administrators.

The Ukrainian Computer Emergency Response Team (CERT-UA) disclosed in the fall of 2022 that RomCom was used in specific campaigns against Ukrainian targets, including the Ukrainian government and the Ukrainian military, the researchers revealed. “Trend Micro’s telemetry confirms this targeting, and, as shown in a selection of the numerous RomCom campaigns over time, it is immediately clear that RomCom already had Ukrainian-language social engineering lures back in October and November 2022.” 

“We count a few dozen lure websites that have been set up since July 2022. RomCom shows a mix in their targeting methodologies, mixing typical cybercriminal TTPs with TTPs that are more common for APT actors,” according to the post. “For example, RomCom used spear phishing against a member of a European parliament in March 2022 but targeted a European defense company in October 2022 with a Google Ads advertisement that led to an intermediary landing site that would redirect to a RomCom lure site. That intermediary landing site used the domain name ‘kagomadb[dot]com,’ which was later used for Qakbot and Gozi payloads in December 2022.”

Trend Micro also warned that the malware uses certificates to lend credibility to the software that the targeted victims download. “On the surface, the companies that are signing these binaries look like legitimate companies that have undergone the process of becoming a signer of these certificates.” 

However, the post added that a closer look at these companies’ websites reveals several oddities, including non-existent phone numbers, stock photos of executives, and office addresses that do not seem to match. “This leads us to believe these are either fake companies or legitimate companies that are being abused in order to pass the checks needed to become an authorized signer of binaries.”

The researchers also said that Void Rabisu had many lure websites that attempt to convince targets to download trojanized legitimate applications. These lure sites look legitimate at first but usually have similar oddities on the websites.  

The war against Ukraine has made cyber campaigns against Ukraine, Eastern Europe, and NATO countries more visible for two reasons. These include the number of attacks has increased dramatically, and both the private and public sectors are looking closely at what happens in Ukraine, the researchers said. Additionally, more information from intelligence agencies is being declassified by Western governments, so privately-owned companies can investigate further for themselves. Another important factor is that many actors who previously had different motivations are becoming more aligned toward the same goal, even when their campaigns do not appear to be part of a coordinated effort.

Trend Micro added that the line is blurring between cybercrime driven by financial gain and APT attacks motivated by geopolitics, espionage, disruption, and warfare. “Since the rise of Ransomware-as-a-Service (RaaS), cybercriminals are not using advanced tactics and targeted attacks that were previously thought to be the domain of APT actors. Inversely, tactics and techniques that were previously used by financially motivated actors are increasingly being used in attacks with geopolitical goals.”  

Currently, APT actors like Pawn Storm and APT29, cyber mercenaries like Void Balaur, hacktivism groups like Killnet, along with cybercriminals like former Conti affiliates and Void Rabisu, are targeting Ukraine and its allies, but their campaigns do not yet look coordinated, the researchers said. “We expect that significant geopolitical events like the current war against Ukraine will accelerate the alignment of the campaigns of threat actors who reside in the same geographic region. This will lead to new challenges for defenders, as attacks can then come from many different angles, and it will be less clear who is the actor responsible for them,” they added.

Last week, the U.S. and international cybersecurity agencies released a cybersecurity advisory highlighting malicious activity executed by a People’s Republic of China (PRC) state-sponsored cyber hacker group, Volt Typhoon. The agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and believe the hacker could apply the same techniques against these and other sectors worldwide. Additionally, the Secretary of the Navy confirmed that the Chinese government-sponsored hackers have allegedly also breached the U.S. Navy infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.