War blurs the lines between cybercriminals and state-sponsored attackers

If a ransomware attacks a Ukrainian energy system, is the goal to make money or harm?

A Trend Micro according to analysts the change in how the RomCom virus works is an excellent example of the blurring of the distinction between actions motivated by money and cyberattacks fueled by geopolitics – in this case, Russia’s invasion of Ukraine. The security company pointed out that RomCom’s operator, a group called Void Rabisu, created the infamous Cuba ransomware, and therefore, according to their assessment, it is presumably a financially motivated criminal organization. But this week, Void Rabisu used RomCom against the Ukrainian government and military, as well as the country’s water, energy and financial organizations. Targets outside of Ukraine included a local government group helping Ukrainian refugees, a European defense company, IT service providers in the US and the EU, and a bank in South America.

The usage pattern of RomCom started to change last fall. During a campaign in Ukraine copied website of the Ukrainian army’s DELTA software, and used this spoofed version to send the virus they wrote to victims’ machines via browsers. “Normally, we would think of such a brazen attack as being the work of a nation-state-sponsored actor, but in this case, the signs clearly pointed to Void Rabisu, and some of the tactics, techniques and procedures (TTPs) used were typically those associated with cybercrime ” – write Trend Micro researchers.

The company has been tracking Void Rabisu since mid-2022 and believes the gang has added evasion techniques to the software that make it difficult for security tools to detect the malware. The group also used fake websites promoting what appeared to be genuine or fake software – Go To Meeting, AstraChat, KeePass and Veeam – to lure victims into downloading malicious code. The report highlights a February 2023 campaign against Eastern European targets in which aa criminals embedded the latest version 3.0 of RomCom into the AstraChat instant messaging software installer. Attackers distribute the fake pages through targeted phishing emails and Google ads. The company cooperates with the Ukrainian CERT center and the With the help of Google collaboratively found that “a clear picture emerges of RomCom’s backdoor targets: selected Ukrainian targets and allies of Ukraine,” the researchers wrote.

RomCom has a modular structure and consists of three components. It has a loader, a network component that communicates with the command and control server, and an execution component that executes operations on the victim’s system, i.e. does the dirty work. The update featured key differences from previous versions, including version 3.0 more than twice as much contains a command – wrote the researchers. RomCom 3.0 also added additional malicious targets, including ones that steal browser cookies, chats, cryptocurrency wallets, and FTP credentials. There is also a tool that takes screenshots and then compresses them before sending.

New anti-detection techniques include tests that detect whether the malware is running on a virtual machine. Encryption has also been added, the decryption keys are now located at an external address. Valid certificates signed by seemingly legitimate US and Canadian companies – which are “of course” fake – are used to authenticate the malicious binaries. Void Rabisu also adds null bytes to files to make them larger to avoid sandboxed and file size limited security scanners.

RomCom is evolving to include APT (Advanced Persistent Threat) features typical of both cybercriminal malware used by financially motivated groups and attackers driven by geopolitical considerations, Trend Micro researchers write. Groups like Void Rabisu use their sophisticated malware to both make money and advance their political desires. Ukraine is one of such activities became the focal point. APT gangs such as Russian-linked APT29 (aka Cozy Bear) and Pawn Storm target the country and its allies, as well as Void Balaur, which Trend Micro calls “cyber mercenaries”, hacktivists like Killnet, cybercriminals like Void Rabisu and affiliates of a ransomware-as-a-service group called Conti.

While neither group’s campaign appears to be coordinated, that could change. Which can be a problem. “We expect that major geopolitical events, such as the current war against Ukraine, will accelerate the coordination of campaigns by threat actors residing in the same geographic region,” the researchers wrote. “This will lead to new challenges for defenders, as attacks can then come from many different directions and it will be less clear who is responsible”.

Source: SG.hu Hírmagazin – IT/Tech by sg.hu.

*The article has been translated based on the content of SG.hu Hírmagazin – IT/Tech by sg.hu. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!