A hacker group known as Void Rabisu has deployed a new backdoor called RomCom. According to Trend Micro security researchers, this sophisticated tool sheds light on the group’s evolving objectives and marks a major shift in tactics.
“Void Rabisu is believed to be financially motivated, despite an alleged Cuban ransomware attack on Montenegro’s parliament in August 2022, which is on the geopolitical agenda. believed to be part of,” the advisory published Tuesday said.
Read more about this malware campaign: Ukraine warns against Cuban ransomware campaign
“Void Rabbi’s motives appear to have changed since at least October 2022.” […]. In the December 2022 campaign, a fake version of the Ukrainian military’s Delta situational awareness website was used to lure the target into installing his RomCom backdoor. “
Based on these attacks, security experts theorized that Void Rabisu’s adoption of the RomCom backdoor may indicate a desire to diversify its activities.
Their activity so far has centered on exfiltration and information gathering, but their use of this new tool suggests they are also interested in sabotage, disruption, and even financial gain.
“While we are unable to confirm any linkages between the various attacks, Ukraine and its backing countries have been targeted by a variety of actors including APT actors, hacktivists, cyber mercenaries and cybercriminals like Void Rabisu. ’” the recommendation reads.
The RomCom backdoor is reportedly able to bypass traditional defense mechanisms. It infiltrates systems under the guise of innocent romantic comedy files, gaining unauthorized access and giving hackers a gateway to carry out various activities.
“The lines between cybercrime for financial gain and APT attacks for geopolitics, espionage, chaos and warfare are blurring. Ransomware-as-a-Service (RaaS) is on the rise. Since then, cybercriminals have adopted sophisticated tactics and targeted attacks previously thought to be the domain of APT attackers,” wrote Trend Micro.
“Conversely, tactics and techniques previously used by financially motivated attackers are increasingly being used in geopolitically motivated attacks.”
