Female political leaders and military bigwigs targeted by new cyberattack

Anonymous Hacker
(Image credit: TheDigitalArtist / Pixabay)

Hackers have discovered targeting European Union (EU) military personnel and political leaders working on gender equality with an updated version of the RomCom remote access trojan (RAT) called PEAPOD.

According to cybersecurity researchers at Trend Micro, a hacking collective dubbed Void Rabisu (elsewhere known as UNC2596) created a typosquatted version of the wplsummit website - a site promoting the Women Political Leaders (WPL) Summit that happened in June this year. This malicious website displayed a Microsoft OneDrive folder that hosts an executable named "Unpublished Pictures 1-20230802T122531-002-sfx.exe." 

The file is presented as a photo gallery, and while it does hold some photos from the event (picked up from social media), it also carries PEAPOD.

State-sponsored or not?

PEAPOD itself is a slimmed-down version of the RomCom RAT, featuring 10 commands (RomCom has 42). These commands include executing arbitrary code, grabbing system information, and self-destruction in case of compromise. The researchers believe the attackers cut down on unnecessary bulk to make the RAT stealthier and harder to remove.

While the methodology, the victims, and the attackers' identities, are all known - the motives are still a mystery. The Hacker News reports that Void Rabisu is an “unusual” group as they were observed in both financially motivated attacks and espionage campaigns. 

"Void Rabisu is one of the clearest examples where we see a mix of the typical tactics, techniques, and procedures (TTPs) used by cybercriminal threat actors and TTPs used by nation-state-sponsored threat actors motivated primarily by espionage goals," Trend Micro said.

"While we have no evidence that Void Rabisu is nation-state-sponsored, it's possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine," Trend Micro said.

According to the publication, Void Rabisu’s attacks often feature backdoors that single out Ukraine and countries that support it in its war against Russia.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.