Attacks with an updated and simplified RomCom RAT variant dubbed PEAPOD have been launched by the Void Rabisu threat operation, also known as Storm-0978, UNC2596, and Tropical Scorpius, against female political leaders who participated in the Women Political Leaders Summit in June, according to The Hacker News.
Trend Micro researchers discovered that the distribution of PEAPOD has been conducted through a fake WPL Summit site that included a link to a Microsoft OneDrive folder with an executable named to spoof a folder containing photos from the summit. Downloading the executable prompted the dropping of photos alongside the fetching of a DLL file, which then retrieved the third-stage PEAPOD malware. Only 10 commands, including arbitrary command execution, file uploading and downloading, and self-uninstallation, were supported by PEAPOD, compared with 42 commands supported by RomCom, which researchers said was part of efforts to further obfuscate operations.
"While we have no evidence that Void Rabisu is nation-state-sponsored, it's possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine," said researchers.