This RomCom is no laughing matter:
A change in the deployment of the RomCom malware strain has illustrated the blurring distinction between cyberattacks motivated by money and those fueled by geopolitics, in this case Russia's illegal invasion of Ukraine, according to Trend Micro analysts.
The infosec vendor pointed out that RomCom's operators, threat group Void Rabisu, also has links to the notorious Cuba ransomware, and therefore assessed it was assumed to be a financially driven criminal organization.
But in a report published this week, the researchers wrote that Void Rabisu used RomCom against the Ukraine government and military as well as water, energy, and financial entities in the country.
Outside of Ukraine, targets included a local government group helping Ukrainian refugees, a defense company in Europe, IT service providers in the US and the EU, and a bank in South America. There also were campaigns against people attending various events including the Masters of Digital and Munich Security conferences.
The usage pattern seems to have started shifting last autumn.
One campaign inside of Ukraine used a fraudulent version of the Ukrainian army's DELTA situational awareness website to lure victims into downloading RomCom through improperly patched browsers.
"Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime," Trend's researchers wrote.
The firm has been tracking Void Rabisu since mid-2022 and believes the gang has added evasion techniques to make it more difficult for security tools to detect the malware. The gang has also used fake websites that appear to promote real or fake software – including ChatGPT, Go To Meeting, AstraChat, KeePass, and Veeam – to entice victims into downloading malicious code.
The attackers push the fake sites through targeted phishing emails and Google Ads.
With the combination of RomCom targets seen by Trend Micro, the Ukrainian Computer Emergency Response Team (CERT-UA), and Google, "a clear picture emerges of the RomCom backdoor's targets: select Ukrainian targets and allies of Ukraine," the researchers wrote.
The report details a February 2023 campaign against targets in Eastern Europe during which miscreants embedded the latest version of RomCom – 3.0 – in an installation package of the AstraChat instant messaging software.
While RomCom receives upgrades, its modular architecture remains. Three components - a loader, a network component to communicate with the command-and-control (C2) server, and a worker component that runs the actions on the victim's system - do its dirty work.
[...] "We expect that significant geopolitical events like the current war against Ukraine will accelerate the alignment of the campaigns of threat actors who reside in the same geographic region," the researchers wrote. "This will lead to new challenges for defenders, as attacks can then come from many different angles, and it will be less clear who is the actor responsible for them."
(Score: 2) by PiMuNu on Sunday June 04 2023, @09:32PM
... for the 21st C
(Score: 2) by Snotnose on Sunday June 04 2023, @11:58PM (1 child)
You're crossing a street and get creamed. Why?
1) The driver was looking at their phone
2) The driver was hanging a right and looking left to ensure no cars were coming
3) The driver just didn't see you
4) The driver was in a bad mood and didn't like your skin color
5) A bar had cut the driver off and they were driving to the next bar.
Short term, you're fucked and don't really care why.
Long term, this matters to the driver. To you, not so much.
You got run over, um, hacked. Do you care why, who was behind it, or anything else?
When the dust settled America realized it was saved by a porn star.
(Score: 1) by khallow on Tuesday June 06 2023, @03:53AM
Even if hacking were accidental, understanding why it happens at both the personal and societal level can help prevent it from happening again - or at least reduce its frequency. And if, as alleged in the story, you know more than why, namely who, is deliberately hacking into your system, you may be able to take measures against that person or group.
(Score: 1) by Runaway1956 on Monday June 05 2023, @02:30AM (2 children)
A little too much focus on "criminal" vs "state actor". You can be both, at the same time. Who remembers the CIA drug running operation, which purpose was to fund their little proxy war?
https://en.wikipedia.org/wiki/CIA_involvement_in_Contra_cocaine_trafficking [wikipedia.org]
The quote doesn't really go far enough. The same people who are busy laundering money, drugs, weapons, slaves, and whatever are involved with all sides of the dirty deals. You're either "in", or "out", and if you're "in", then you're in up to your neck. The same will be true, whether it be Nicaragua, or Ukraine.
(Score: 3, Informative) by legont on Monday June 05 2023, @04:47AM (1 child)
Yes indeed. On a related note, American antitank missiles destined for Ukraine already found their way to Mexican drug gangs. One could blame Ukrainians or even Russians, but I doubt the toys ever left our side of the pond.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 1) by khallow on Tuesday June 06 2023, @04:03AM
Looks only to be truish [apnews.com].
Wikipedia notes [wikipedia.org] that the AT4 is used not only by the US and Mexican cartels in North America, but also by Argentina, Brazil, Colombia, Dominican Republic, and Venezuela.