A new cyberattack campaign called PEAPOD has surfaced, targeting European Union military personnel and political leaders involved in gender equality initiatives. This campaign employs an updated version of RomCom RAT and is attributed to a threat actor named Void Rabisu, known by various aliases, including Storm-0978, Tropical Scorpius, and UNC2596. Notably, Void Rabisu conducts both financially motivated and espionage attacks, blurring the lines between its modes of operation. These attacks have mainly focused on Ukraine and its supporters in the ongoing conflict with Russia.
In July, Microsoft linked Void Rabisu to the exploitation of CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML, utilizing specially crafted Microsoft Office document lures related to the Ukrainian World Congress. The RomCom RAT is a sophisticated malware that can interact with a command-and-control server, featuring defense evasion techniques.
It is distributed through highly targeted spear-phishing emails and deceptive advertisements on search engines, redirecting users to sites hosting trojanized versions of legitimate applications.
The most recent attacks in August 2023 introduce an updated and streamlined version of RomCom RAT distributed via a replica website, wplsummit[.]com, impersonating the legitimate wplsummit[.]org domain. The malicious actor uses a OneDrive folder link that tricks users into downloading an executable file, posing as pictures from the Women Political Leaders (WPL) Summit held in June 2023. This malware includes a downloader and retrieves a DLL file from a remote server to support 10 commands, down from the 42 commands of its predecessor. The revised version aims to minimize its digital footprint, complicating detection efforts.
While there is no direct evidence of Void Rabisu being nation-state-sponsored, it is suggested that this financially motivated threat actor may have been drawn into cyberespionage activities due to geopolitical developments surrounding the Ukraine conflict.