Peapod

Malware updated 2 months ago (2024-09-24T03:00:59.794Z)
Download STIX
Preview STIX
Peapod is a sophisticated form of malware that has evolved from the RomCom 3.0 backdoor. The cybercriminal group Void Rabisu appears to have transitioned from using RomCom 3.0 to Peapod, which exhibits several architectural differences compared to its predecessor. This new strain, also referred to as RomCom 4.0 by Trend Micro, incorporates techniques observed in both RomCom 3.0 and its offshoot Peapod, along with new tricks and unique code obfuscation methods. Despite these advancements, Peapod still allows for similar levels of control over infected systems as RomCom 3.0, as evidenced by commands listed in Table 3. The deployment of Peapod was facilitated by an exploit chain involving two vulnerabilities: CVE-2023-36584 and CVE-2023-36884. Both of these Windows remote code execution vulnerabilities were patched by Microsoft in October and July 2023 respectively. The malware forces WinHTTP functions to use TLS 1.2 instead of the default version chosen by the operating system, demonstrating a level of sophistication in its approach to system infiltration. However, it's worth noting that our analysis suggests Peapod cannot infect systems running Windows 7 and earlier versions. In summary, Peapod represents an evolution of the RomCom malware, incorporating advanced techniques and exploiting known vulnerabilities to infiltrate systems. While there are key differences between RomCom 3.0 and Peapod, the latter maintains a similar level of control over victim systems. It's essential for organizations to ensure their systems are updated with the latest patches to protect against such threats.
Description last updated: 2024-09-24T02:15:53.577Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
RomCom is a possible alias for Peapod. The RomCom malware, a Remote Access Trojan (RAT), has been linked to Cuba ransomware actors and Industrial Spy ransomware actors, according to third-party and open-source reports. Since spring 2022, the Russian-speaking group UAT-5647, also known as RomCom, has targeted Ukrainian government entities
6
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Payload
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Void Rabisu Threat Actor is associated with Peapod. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In has used
3
Source Document References
Information about the Peapod Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
2 months ago
Trend Micro
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago