Security
Headlines
HeadlinesLatestCVEs

Headline

ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

By Deeba Ahmed Watch out, ladies! This is a post from HackRead.com Read the original post: ROMCOMLITE: Stealthier Version of ROMCOM Backdoor Targets Female Politicians

HackRead
#vulnerability#web#windows#google#microsoft#git#intel#backdoor#rce#auth#zero_day#ssl
  • **Japanese cybersecurity firm **Trend Micro**** has detected a new malware attack campaign dubbed ROMCOMLITE.

  • Cyberespionage gang Void Rabisu is targeting female Politicians and government officials. with the new ROMCOM backdoor variant.

  • This new variant is compact and stealthier than its predecessor.

  • Attackers are using spear-phishing to distribute the backdoor through fake meeting invites.

  • If the malware invades a system successfully, it can harvest data, execute remote commands, or capture screenshots.

A notorious cyberespionage group Void Rabisu, aka Storm-0978, Tropical Scorpius, and UNC2596, has launched a brand-new campaign targeting female political leaders and government officials using a revamped version of a previously detected ROMCOM backdoor.

Hackread.com had reported in July 2023 that Void Rabisu is intensifying its efforts to target politicians, citing a report from the BlackBerry Threat Research and Intelligence team about discovering a campaign where the group targeted Ukraine and NATO supporters with the ROMCOM backdoor RAT delivered via malicious documents.

The ROMCOMLITE campaign was discovered by Japanese cybersecurity firm Trend Micro. This new variant, dubbed ROMCOM 4.0 by Trend Micro and Peapod by Microsoft, allows attackers to gain unauthorized access to the target’s computers and steal sensitive data.

The backdoor was detected in early August, and the malware analysis was published on 31 October. In the report, Feike Hacquebord and Fernando Merces explained that Void Rabisu’s targets were attendees of the Women Political Leaders (WPL) Summit held in Brussels in June 2023.

For your information, Void Rabisu is a sophisticated, hybrid group that conducts espionage and financially motivated attacks and prefers using the Cuba ransomware. It also serves as an APT actor targeting government and military entities/officials.

The gang was discovered first in 2022, but researchers agree that it has been active for a long time. They also suspect this group harbours a geopolitical agenda, as most of its previous campaigns targeted the Ukrainian government/military and EU political/government governments.

In the recent campaign, Trend Micro noted that the backdoor payload was embedded in a malicious copy of the WPL Summit’s official website to improve gender equality in politics. The malicious new backdoor ROMCOM 4.0 is designed to evade detection and remain hidden on the infected system to avoid raising suspicion.

As per the report, the Videos &photos link of the original domain redirects the visitor to a Google Drive folder containing the event’s photographs. Then the fake website (wplsummitcom) directs the visitor to a OneDrive folder containing two compressed files and an executable file (titled: Unpublished Pictures 1-20230802T122531-002-sfx.exe), which is malware.

The gang created this fake website on 8 August, primarily to attract visitors from the original WPL summit domain. The executable file is signed with a valid certificate by a firm called Elbor LLC and extracts 56 photos from its resource section after the user clicks on Extract.

Fake Malicious Website for the WPL Summit 2023 and the folder downloaded by clicking on the ‘Videos & Photos’ contains images and malware downloader (Screenshot Credit: Trend Micro)

Pictures dropped by the malware downloader from the event – According to Trend Micro, these images have been gathered by hackers from different social media posts.

Attackers use spear-phishing tactics to lure their targets. They send fake meeting invitations and other lures so that the targets open malicious attachments or click on links containing the malware.

This is a similar tactic Void Rabisu has used in its campaign discovered in June 2023, where the gang used lures related to the Ukrainian World Congress and the July NATO summit to deliver a zero-day exploit based on an RCE vulnerability in MS Office and Windows HTML, tracked as CVE-2023-36884. Microsoft disclosed this campaign in July.

However, Trend Micro report reveals that the group has used a new tactic in this campaign involving TLS-enforcing by the RomCom C2 servers to make discovering ROMCOM’s infrastructure hard to detect.

“We observed Void Rabisu using this technique in a May 2023 RomCom campaign that spread a malicious copy of the legitimate PaperCut software, in which the C2 server ignored requests that were not conformant,” the report read.

Trend Micro claims there’s no evidence to believe Void Rabisu is a state-sponsored actor. Still, it is clear that the group is trying to benefit from the “extraordinary geopolitical circumstances caused by the war in Ukraine.”

****RELATED ARTICLES****

  1. Hackers Target Israeli Rocket Alert App Users with Spyware
  2. Gender Diversity in Cybercrime Forums: Women Users on the Rise
  3. Israeli Rabbi arrested for hacking CCTV cameras at women’ bathing suit shop

Related news

CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation in the wild. The vulnerabilities are as follows - CVE-2023-36584 (CVSS score: 5.4) - Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2023-1671 (CVSS score: 9.8) -

Operation Rusty Flag: Azerbaijan Targeted in New Rust-Based Malware Campaign

Targets located in Azerbaijan have been singled out as part of a new campaign that's designed to deploy Rust-based malware on compromised systems. Cybersecurity firm Deep Instinct is tracking the operation under the name Operation Rusty Flag. It has not been associated with any known threat actor or group. "The operation has at least two different initial access vectors," security researchers

Google Fixes Serious Security Flaws in Chrome and Android

Plus: Mozilla patches more than a dozen vulnerabilities in Firefox, and enterprise companies Ivanti, Cisco, and SAP roll out a slew of updates to get rid of some high-severity bugs.

August Patch Tuesday stops actively exploited attack chain and more

Categories: Exploits and vulnerabilities Categories: News Microsoft has announced patches for 87 vulnerabilities this month, including two that are being actively exploited. (Read more...) The post August Patch Tuesday stops actively exploited attack chain and more appeared first on Malwarebytes Labs.

Microsoft Patch Tuesday, August 2023 Edition

Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including a patch that addresses multiple zero-day vulnerabilities currently being exploited in the wild.

Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs

Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239131 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Vulristics improvements I optimized the detection of the vulnerable product and the type […]

Zero-day deploys remote code execution vulnerability via Word documents

Categories: Business Tags: microsoft Tags: zero-day Tags: exploit Tags: CVE-2023-36884 Tags: storm-0978 Tags: email Tags: phish Tags: phishing Tags: Ukraine We take a look at reports of an exploit being deployed via booby trapped Word documents. (Read more...) The post Zero-day deploys remote code execution vulnerability via Word documents appeared first on Malwarebytes Labs.

Microsoft Releases Patches for 130 Vulnerabilities, Including 6 Under Active Attack

Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of

Update now! Microsoft patches a whopping 130 vulnerabilities

Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.

Apple & Microsoft Patch Tuesday, July 2023 Edition

Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.

CVE-2023-36884

Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Please see the Microsoft Threat Intelligence Blog https://aka.ms/Storm-0978  Entry for important information about steps you can take to protect your system from this vulnerability. This CVE will be updated with new inform...