RomCom Trojan Targets Women Political Leaders Summit
A cyberattack campaign has targeted prominent figures involved in the Women Political Leaders (WPL) Summit in Brussels, along with European Union military personnel. The attack, identified by Trend Micro, uses an updated version of the RomCom Remote Access Trojan (RAT) known as PEAPOD. The campaign, attributed to the Void Rabisu group, has raised concerns about the cybersecurity of high-profile events.
The attack involved the creation of deceptive websites mimicking legitimate ones associated with the WPL Summit. By using a typosquatted version of the WPL Summit website — wplsummit[.]com instead of the real wplsummit.org — malicious actors hosted a Microsoft OneDrive folder containing an executable file named "Unpublished Pictures 1-20230802T122531-002-sfx.exe." This file, presented as a photo gallery containing authentic images from the June 2023 WPL Summit, delivers the PEAPOD malware.
Once the trojan has infected the victim’s device, the threat actors can remotely give it 10 different commands. This includes the execution of arbitrary code, retrieval of system information, and even self-destruction in case of compromise, aimed at maintaining the malware's inconspicuous presence on compromised systems.
This malware's distribution strategy typically relies on targeted spear-phishing emails and misleading ads on popular search engines like Google and Bing. These tactics direct users to fake websites hosting modified versions of legitimate applications, making it difficult for individuals to discern malicious activities from genuine ones.
Void Rabisu is known for its cyber activities encompassing both financially motivated attacks and espionage campaigns and is notably linked to the RomCom RAT. The group's previous endeavors have targeted countries supporting Ukraine in the conflict with Russia with various strategies, including exploiting vulnerabilities like CVE-2023-36884 found in Office and Windows HTML.
While the exact motivations behind Void Rabisu's actions remain unclear, Trend Micro speculates that the ongoing conflict in Ukraine may have contributed to the group's transition from financially motivated activities to more sophisticated cyberespionage pursuits. Despite the absence of concrete evidence linking Void Rabisu to nation-state sponsorship, the geopolitical landscape plays a critical role in recent cyber threats.
So far, Void Rabisu has targeted three conferences in 2023, including the Munich Security Conference, the Masters of Digital Conference, and the WPL Summit. Attendees of such events must remain vigilant.
Please, comment on how to improve this article. Your feedback matters!