Void Rabisu

Malware updated 4 months ago (2024-05-04T19:32:33.395Z)

Download STIX

Preview STIX

Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In August 2023, the actors behind Void Rabisu set up a deceptive website mimicking the legitimate WPL Summit site to lure visitors and exploit their systems. The malware was also used in spear-phishing attacks by a pro-Russian APT group against groups supporting Ukraine's admission into NATO in July 2023. The threat actor exhibited a shift in tactics during this period, deploying a different payload from the ROMCOM backdoor previously analyzed. Notably, Void Rabisu hijacked CLSID {F5078F32-C551-11D3-89B9-0000F81FE221}, typically used by the WordPad application. An updated and simplified ROMCOM RAT variant, dubbed PEAPOD, was used in attacks against female political leaders who participated in the WPL Summit. Additionally, Void Rabisu deployed the Cuba ransomware, potentially exclusively, as part of its attack strategies. Despite its sophisticated operations, there is no evidence to suggest that Void Rabisu is state-sponsored. According to researchers, the malware has stripped its backdoor "down to its core," downloading additional components as needed, possibly to make fingerprinting on the command and control server more difficult. The threat actor has also targeted other significant events, such as the Munich Security Conference and the Masters of Digital conference, underscoring the broad range of its malicious activities.

Description last updated: 2024-05-04T18:22:00.078Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Tropical Scorpius	3	Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Unc2596	3	UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including
Romcom Backdoor	3	The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a
RomCom	3	RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Peapod	3	PEAPOD, a novel variant of the RomCom RAT malware, was discovered to have been used in targeted attacks against female political leaders who participated in the Women Political Leaders Summit in June. The threat operation responsible for these attacks is known as Void Rabisu, also referred to as Sto
Cuba Ransomware	2	The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

State Sponso...

Espionage

Malware

Ransomware

Vulnerability

Backdoor

Apt

Windows

Exploit

Papercut

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-36884	Unspecified	3	CVE-2023-36884 is a significant vulnerability in the design or implementation of Microsoft Windows, Server, Office, and Outlook software. This flaw, which allows for remote code execution (RCE), has been exploited in the wild, with its technical details publicly disclosed. The vulnerabilities, inclu

Source Document References

Information about the Void Rabisu Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog
CERT-EU	a year ago	SpyNote Android trojan detailed
CERT-EU	a year ago	Android spyware deployed via fraudulent Israeli rocket alert app
BankInfoSecurity	a year ago	Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU	a year ago	RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU	a year ago	‘RomCom’ Cyber Campaign Targets Women Political Leaders
CERT-EU	a year ago	Israel, Gaza relief groups subjected to DDoS attacks
CERT-EU	a year ago	Novel RomCom RAT variant used in attacks against female political leaders
CERT-EU	a year ago	Ransomware attack claims against Colonial Pipeline linked to third-party breach
DARKReading	a year ago	'RomCom' Cyber Campaign Targets Women Political Leaders
InfoSecurity-magazine	a year ago	New RomCom Backdoor Targets Female Political Leaders
CERT-EU	a year ago	Google trending Ransomware news headlines for the day - Cybersecurity Insiders
CERT-EU	a year ago	Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU	a year ago	New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU	a year ago	New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Trend Micro	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
CERT-EU	a year ago	Microsoft's latest Patch Tuesday addresses 6 actively exploited zero-day vulnerabilities
CERT-EU	a year ago	Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
CERT-EU	a year ago	Russia-Linked RomCom Hackers Targeting NATO Summit Guests