Targeting female political leaders is a new PEAPOD cyberattack campaign
The focus of a new campaign delivering an updated RomCom RAT named PEAPOD has emerged as political and military leaders in the European Union working on gender equality efforts.
The attacks were linked by the cybersecurity company Trend Micro to a threat actor known as Void Rabisu, also known as Storm-0978, Tropical Scorpius, and UNC2596, and were thought to be connected to the Cuba ransomware.
The antagonistic collective is a unique group in that it carries out both financially driven and espionage-related activities, obfuscating the distinction between these two types of attacks. Additionally, RomCom RAT use is the only connection made.
Over the past year, attacks employing the backdoor have targeted Ukraine and nations that aid Ukraine in its conflict with Russia.
Microsoft accused Void Rabisu of using specially forged Microsoft Office document lures associated with the Ukrainian World Congress to exploit CVE-2023-36884, a remote code execution issue in Office and Windows HTML.
RomCom RAT has steadily advanced in sophistication, now being able to communicate with a command-and-control (C&C) server to accept commands and carry them out on the victim’s computer while also incorporating defense evasion methods.
In order to deceive people into accessing lure sites holding trojanized copies of legitimate software, the malware is generally delivered using highly targeted spear-phishing emails and false advertisements on search engines like Google and Bing.
Trend Micro
“One of the most blatant instances of a tactic, method, and procedure (TTP) mix between nation-state-sponsored threat actors and cybercriminals is Void Rabisu. This threat actor is largely driven by espionage objectives.”
“While there is no proof that Void Rabisu is supported by a nation-state, it is possible that it is one of the financially motivated threat actors from the criminal underworld who became involved in cyber espionage due to the unusual geopolitical conditions brought on by the conflict in Ukraine.” |
RomCom RAT was also supplied by the most recent wave of attacks that the business discovered in August 2023, but it was a revised and slimmed-down version of the malware that is spread through a website named wplsummit[.]com, which is a duplicate of the authentic wplsummit[.]org domain.
An executable file called “Unpublished Pictures 1-20230802T122531-002-sfx.exe,” a 21.6 MB file that tries to impersonate a folder holding pictures from the Women Political Leaders (WPL) Summit that happened in June 2023, is present in the website’s link to a Microsoft OneDrive folder.
The binary is a downloader that downloads a DLL file from a distant site while simultaneously dropping 56 images onto the target machine as a ruse. According to reports, the malicious actor obtained these images from specific posts on a number of social media websites, including LinkedIn, X (formerly known as Twitter), and Instagram.
The third-stage PEAPOD artifact, which only allows 10 commands overall compared to its predecessor’s 42 commands, is fetched by the DLL file via making contact with another domain.
The updated version is capable of running arbitrary instructions, downloading and uploading files, obtaining system information, and even uninstalling itself from the compromised host. The goal is to minimize the malware’s digital footprint and impede detection efforts by reducing it to its most basic components.
About The Author
Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food & Beverage, Entertainment, and many others. Koli established his center of the field in a very amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.
Read More Article Here