Stories
Slash Boxes
Comments

SoylentNews is people

Ukraine War Blurs Lines Between Cyber-Crims and State Hacks

posted by janrinok on Sunday June 04, @08:29AM   Printer-friendly

upstart writes:

This RomCom is no laughing matter:

A change in the deployment of the RomCom malware strain has illustrated the blurring distinction between cyberattacks motivated by money and those fueled by geopolitics, in this case Russia's illegal invasion of Ukraine, according to Trend Micro analysts.

The infosec vendor pointed out that RomCom's operators, threat group Void Rabisu, also has links to the notorious Cuba ransomware, and therefore assessed it was assumed to be a financially driven criminal organization.

But in a report published this week, the researchers wrote that Void Rabisu used RomCom against the Ukraine government and military as well as water, energy, and financial entities in the country.

Outside of Ukraine, targets included a local government group helping Ukrainian refugees, a defense company in Europe, IT service providers in the US and the EU, and a bank in South America. There also were campaigns against people attending various events including the Masters of Digital and Munich Security conferences.

The usage pattern seems to have started shifting last autumn.

One campaign inside of Ukraine used a fraudulent version of the Ukrainian army's DELTA situational awareness website to lure victims into downloading RomCom through improperly patched browsers.

"Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime," Trend's researchers wrote.

The firm has been tracking Void Rabisu since mid-2022 and believes the gang has added evasion techniques to make it more difficult for security tools to detect the malware. The gang has also used fake websites that appear to promote real or fake software – including ChatGPT, Go To Meeting, AstraChat, KeePass, and Veeam – to entice victims into downloading malicious code.

The attackers push the fake sites through targeted phishing emails and Google Ads.

With the combination of RomCom targets seen by Trend Micro, the Ukrainian Computer Emergency Response Team (CERT-UA), and Google, "a clear picture emerges of the RomCom backdoor's targets: select Ukrainian targets and allies of Ukraine," the researchers wrote.

The report details a February 2023 campaign against targets in Eastern Europe during which miscreants embedded the latest version of RomCom – 3.0 – in an installation package of the AstraChat instant messaging software.

While RomCom receives upgrades, its modular architecture remains. Three components - a loader, a network component to communicate with the command-and-control (C2) server, and a worker component that runs the actions on the victim's system - do its dirty work.

[...] "We expect that significant geopolitical events like the current war against Ukraine will accelerate the alignment of the campaigns of threat actors who reside in the same geographic region," the researchers wrote. "This will lead to new challenges for defenders, as attacks can then come from many different angles, and it will be less clear who is the actor responsible for them."

Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Ukraine War Blurs Lines Between Cyber-Crims and State Hacks | Log In/Create an Account | Top | 6 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by khallow on Tuesday June 06, @04:03AM

    by khallow (3766) Subscriber Badge on Tuesday June 06, @04:03AM (#1310065) Journal

    On a related note, American antitank missiles destined for Ukraine already found their way to Mexican drug gangs. One could blame Ukrainians or even Russians, but I doubt the toys ever left our side of the pond.

    Looks only to be truish [apnews.com].

    “A presumed member of the Tamaulipas cartel was recorded carrying one of the most exclusive and powerful weapons, a Javelin, which is theoretically only sold to the military and has been used in the invasion of Ukraine, for example,” she says in Spanish.

    Mark Hvizda, a defense analyst from Rand, said the weapon in the clip is not a Javelin, but rather an AT4, another anti-tank weapon that fires grenades.

    AT4s are normally produced by a Swedish company and are widely used by many militaries throughout the world. There is a U.S. version of an AT4, which the Army calls a M136 AT-4, however it’s unclear from the video which model this was, Hvizda said.

    Wikipedia notes [wikipedia.org] that the AT4 is used not only by the US and Mexican cartels in North America, but also by Argentina, Brazil, Colombia, Dominican Republic, and Venezuela.