Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant

Void Rabisu continues to evolve its ROMCOM backdoor family, delivering a slimmed-down variant (PEAPOD) via a fake Women Political Leaders (WPL) Summit website that lures victims to a OneDrive-hosted SFX downloader signed by Elbor LLC. The installer performs in-memory XOR-decryption of staged DLLs, uses worldtimeapi.org to generate time-based URLs to redditanalytics.pm, establishes C2 over HTTPS with enforced TLS 1.2 (fallback to raw TCP/ICMP), and achieves persistence via COM hijacking of WordPad. #VoidRabisu #ROMCOM

Keypoints

Threat actor Void Rabisu set up a malicious clone of the WPL Summit site (wplsummit[.]com) that pointed visitors to a OneDrive folder hosting an executable named Unpublished Pictures 1-20230802T122531-002-sfx.exe.
The SFX downloader is signed with a certificate from Elbor LLC, extracts decoy photos, and checks the HTTP User-Agent before fetching a 122 KB XOR-encrypted PE from mctelemetryzone[.]com/favicon.ico.
The downloaded payload is XOR-decrypted in memory (pseudocode: for (i=0; i<len; i++) data[i] = data[i] ^ 0xf0 * i) to a 64-bit DLL that exports CPLInit() and is executed entirely in RAM.
The in-memory DLL (“trymenow.dll”) queries worldtimeapi.org to seed a time-based algorithm, Base64-encodes the generated path, and requests a third-stage XOR-encrypted component from redditanalytics[.]pm which is stored as %PUBLIC%AccountPicturesDefenderSecurity.dll for COM hijacking.
Persistence and execution are achieved by hijacking CLSID {F5078F32-C551-11D3-89B9-0000F81FE221} (WordPad); launching WordPad triggers the loader. Another component communicates with C2 at netstaticsinformation[.]com.
PEAPOD enforces TLS 1.2 via WinHTTP flags and sets options to ignore certificate errors; some campaigns used a TLS-enforcing server that ignored nonconformant requests. If HTTPS fails, the malware falls back to raw TCP (port 442) or ICMP.
Compared to ROMCOM 3.0, PEAPOD emphasizes memory-only loading, registry-stored worker, named-pipe IPC, and a reduced command set (10 commands vs 42), enabling modular download of additional components as needed.

MITRE Techniques

[T1204.002] User Execution: Malicious Link – Delivery via a cloned event website and OneDrive hosting where the article states ‘the fake website directed visitors to a OneDrive folder containing … Unpublished Pictures 1-20230802T122531-002-sfx.exe’.
[T1553.002] Code Signing – Use of a valid code signing certificate to appear legitimate: ‘The executable downloaded from the OneDrive folder is signed by a company called Elbor LLC (which was previously used to sign multiple malicious files)’.
[T1027] Obfuscated Files or Information – Payloads are XOR-encrypted to hinder analysis: the article shows decryption pseudocode ‘for (i=0; i<len; i++) data[i] = data[i] ^ 0xf0 * i’.
[T1620] Reflective Code Loading – In-memory loading and execution of the decrypted DLL without touching disk: ‘This DLL never touches the disk. In other words, its download, decryption, and execution routines all happen in runtime in memory.’
[T1203] Exploitation for Client Execution – Use of a zero-day vulnerability (CVE-2023-36884) in earlier campaigns to gain initial code execution: ‘Void Rabisu used a zero-day vulnerability related to CVE-2023-36884’.
[T1546.004] Component Object Model Hijacking – Persistence via COM hijack of a WordPad CLSID: ‘Void Rabisu chose to hijack CLSID {F5078F32-C551-11D3-89B9-0000F81FE221}, which is used by the WordPad application’.
[T1071.001] Application Layer Protocol: Web Protocols – C2 communication over HTTP/S using WinHTTP and custom User-Agent strings: sample GET to ‘https://redditanalytics.pm/… Accept: */* … User-Agent: Mozilla/5.0 (iPhone; … EdgiOS/114.1823.67 …)’.
[T1573] Encrypted Channel – Enforcing TLS 1.2 for C2 to hinder discovery and fingerprinting: ‘The PEAPOD samples we analyzed force WinHTTP functions to use TLS 1.2 … the C&C server … checked the TLS version … and would not respond’.
[T1095] Non-Application Layer Protocol – Use of raw TCP (port 442) or ICMP as fallback C2 channels when HTTPS is unavailable: ‘If the malware cannot reach out to the C&C server using HTTPS, it tries to connect via raw TCP (Transmission Control Protocol) at port 442 or ICMP’.

Indicators of Compromise

[Domains] Delivery and C2 infrastructure – wplsummit[.]com (fake WPL site), mctelemetryzone[.]com (favicon check/download), redditanalytics[.]pm (staged component host), netstaticsinformation[.]com (C2).
[File names / filenames seen] Downloader and staged DLLs – Unpublished Pictures 1-20230802T122531-002-sfx.exe (OneDrive SFX downloader), trymenow.dll (in-memory DLL), %PUBLIC%AccountPicturesDefenderSecurity.dll (COM-hijack DLL).
[CLSID / Registry] COM hijack target and persistence – CLSID {F5078F32-C551-11D3-89B9-0000F81FE221} (WordPad COM object) and registry-stored worker component (security.dll stored/updated via registry).
[Certificate / Signing] Code-signing context – Elbor LLC (certificate used to sign the SFX downloader) and other previously used malicious signing artifacts.
[IOC list] Complete indicators reference – Trend Micro IOC text file (link provided in original article) and other sample hashes referenced there.

Void Rabisu’s WPL-targeting campaign begins with a cloned event site that redirects visitors to a OneDrive folder hosting an SFX-style executable signed by Elbor LLC. When run, the downloader displays decoy photos (extracted from its resources) and performs an HTTP GET to mctelemetryzone[.]com/favicon.ico; the server checks the HTTP User-Agent and, if it matches the expected string, returns a 122 KB XOR-encrypted PE. The downloader decrypts this payload in memory (pseudocode in the article shows byte-wise XOR: for (i=0; i<len; i++) data[i] = data[i] ^ 0xf0 * i), resulting in a 64-bit DLL exporting CPLInit() which is loaded and executed without touching disk.

The in-memory DLL (internally named trymenow.dll) queries worldtimeapi.org for a timestamp used to seed an algorithm that produces a time-based path, Base64-encodes that path, and requests the next stage from redditanalytics[.]pm. The server responds with another XOR-encrypted component that is decrypted and written to %PUBLIC%AccountPicturesDefenderSecurity.dll; this component is used to hijack CLSID {F5078F32-C551-11D3-89B9-0000F81FE221} (WordPad). A subsequent time-seeded request pulls a network component that communicates with the C2 at netstaticsinformation[.]com. Launching WordPad causes the COM-hijacked DLL to execute, completing the loader-to-payload chain.

For C2 communications, PEAPOD forces WinHTTP to use TLS 1.2 by setting appropriate flags and also configures WinHTTP to ignore certificate errors; this was likely intended to make automated discovery and fingerprinting harder (the article notes a TLS-enforcing C2 that ignored nonconformant requests). If HTTPS is unavailable, the malware falls back to raw TCP on port 442 or ICMP. Architecturally, PEAPOD is a slimmed, modular evolution of ROMCOM: many components are memory-loaded, the worker can be stored in the registry, IPC uses named pipes, and the command set is reduced — enabling the attacker to fetch additional modules on demand while minimizing exposure of those components.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print