Fresh Cyberattack Campaign ‘PEAPOD’ Targets Female Political Figures

    In the latest cyberattack campaign, European Union military personnel and political leaders focused on gender equality initiatives are targeted. The campaign introduces an updated version of the RomCom RAT called PEAPOD. Security firm Trend Micro attributes these attacks to a threat actor known as Void Rabisu, also associated with Cuba ransomware and using various aliases such as Storm-0978, Tropical Scorpius, and UNC2596. Their practice of financially motivated espionage attacks sets this adversarial collective apart, blurring the boundaries between their methods. Moreover, they are exclusively linked to the use of RomCom RAT.

    Previous attacks involving the RAT have primarily targeted Ukraine and countries supporting Ukraine in its conflict with Russia over the past year. In July, Microsoft implicated Void Rabisu in exploiting a remote code execution flaw in Office and Windows HTML, using specially crafted Microsoft Office documents related to the Ukrainian World Congress. PEAPOD can receive commands from a command-and-control server and execute them on the victim’s machine. It employs defence evasion techniques, showcasing an evolution in its sophistication. Spear-phishing emails and deceptive ads on search engines like Google and Bing are the most common methods of distributing malware.

    Trend Micro states that Void Rabisu combines typical tactics, techniques, and procedures used by cybercriminal and state-sponsored threat actors, indicating a mix of financial gain and espionage objectives. The latest attacks discovered in August 2023 also employed RomCom RAT. However, this malware version is a slimmed-down iteration distributed through a website called wplsummit[.]com, mimicking the legitimate wplsummit[.]org domain. The website contains a link to a Microsoft OneDrive folder hosting an executable file named “Unpublished Pictures 1-20230802T122531-002-sfx.exe”, masquerading as a folder containing photos from the Women Political Leaders (WPL) Summit held in June 2023. The executable is a downloader that drops 56 decoy pictures while retrieving a DLL file from a remote server. The photos used in this campaign were sourced from social media platforms such as LinkedIn, X, and Instagram. The DLL file establishes contact with another domain to retrieve the third-stage PEAPOD artefact, supporting ten commands compared to its predecessor’s 42 commands. The updated version can perform various functions, including executing arbitrary commands, downloading/uploading files, gathering system information, and self-uninstallation.

    Trend Micro speculates that while there is no concrete evidence suggesting Void Rabisu is state-sponsored, it may be a financially motivated threat actor drawn into cyber espionage due to the unique geopolitical circumstances surrounding the Ukrainian conflict.

    Latest articles

    Related articles