Ukraine war blurs lines between cyber-crims and state-sponsored attackers

A change in the deployment of the RomCom malware strain has illustrated the blurring distinction between cyberattacks motivated by money and those fueled by geopolitics, in this case Russia's illegal invasion of Ukraine, according to Trend Micro analysts.

The infosec vendor pointed out that RomCom's operators, threat group Void Rabisu, also has links to the notorious Cuba ransomware, and therefore assessed it was assumed to be a financially driven criminal organization.

But in a report published this week, the researchers wrote that Void Rabisu used RomCom against the Ukraine government and military as well as water, energy, and financial entities in the country.

Outside of Ukraine, targets included a local government group helping Ukrainian refugees, a defense company in Europe, IT service providers in the US and the EU, and a bank in South America. There also were campaigns against people attending various events including the Masters of Digital and Munich Security conferences.

The evolution of RomCom

The usage pattern seems to have started shifting last autumn.

One campaign inside of Ukraine used a fraudulent version of the Ukrainian army's DELTA situational awareness website to lure victims into downloading RomCom through improperly patched browsers.

"Normally, this kind of brazen attack would be thought to be the work of a nation state-sponsored actor, but in this case, the indicators clearly pointed towards Void Rabisu, and some of the tactics, techniques, and procedures (TTPs) used were typically associated with cybercrime," Trend's researchers wrote.

The firm has been tracking Void Rabisu since mid-2022 and believes the gang has added evasion techniques to make it more difficult for security tools to detect the malware. The gang has also used fake websites that appear to promote real or fake software – including ChatGPT, Go To Meeting, AstraChat, KeePass, and Veeam – to entice victims into downloading malicious code.

The attackers push the fake sites through targeted phishing emails and Google Ads.

With the combination of RomCom targets seen by Trend Micro, the Ukrainian Computer Emergency Response Team (CERT-UA), and Google, "a clear picture emerges of the RomCom backdoor's targets: select Ukrainian targets and allies of Ukraine," the researchers wrote.

More commands, more evasion techniques

The report details a February 2023 campaign against targets in Eastern Europe during which miscreants embedded the latest version of RomCom – 3.0 – in an installation package of the AstraChat instant messaging software.

While RomCom receives upgrades, its modular architecture remains. Three components - a loader, a network component to communicate with the command-and-control (C2) server, and a worker component that runs the actions on the victim's system - do its dirty work.

That said, there were key differences from previous versions, including more than twice as many commands in version 3.0, from 20 to 42, a high number of commands for a backdoor, the researchers wrote. RomCom 3.0 also added additional malicious payloads, including ones that steal browser cookies, IM chats, cryptocurrency wallets, and FTP credentials.

There also is a tool that takes screenshots and then compresses the images before they're exfiltrated.

New anti-detection techniques include tests to detect if the malware is running in a virtual machine, a big clue security researchers are at work. Encryption for payloads has been added, with decryption keys located at an external address. Valid certificates signed by seemingly legitimate US and Canadian companies – which turn out to be fake – are employed to give credence to the malicious binaries.

Void Rabisu also adds null bytes to the files from the C2 server to make them bigger to avoid sandboxes or security scanners that have a file size limit.

Evil alignment in the making?

RomCom is evolving to include features typical of both cybercrime malware used by financially motivated groups and advanced persistent threat (APT) attackers driven by geopolitics, the Trend Micro researchers wrote. Groups like Void Rabisu are using their sophisticated malware to both make money and advanced their political desires.

Ukraine has become a focal point for this sort of activity. APT gangs like Russian-linked APT29 (aka Cozy Bear) and Pawn Storm are targeting the country and its allies, as are what Trend Micro calls "cyber mercenaries" like Void Balaur, hacktivists like Killnet, cybercriminals such as Void Rabisu, and affiliates of the ransomware-as-a-service group Conti.

While none of these groups' campaigns appear to be coordinated, that could change. Which could be a problem.

"We expect that significant geopolitical events like the current war against Ukraine will accelerate the alignment of the campaigns of threat actors who reside in the same geographic region," the researchers wrote. "This will lead to new challenges for defenders, as attacks can then come from many different angles, and it will be less clear who is the actor responsible for them." ®