RomCom

Malware updated a month ago (2024-11-29T14:24:37.339Z)
Download STIX
Preview STIX
RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The malware has evolved in its tactics, techniques, and procedures (TTPs), with the most recent variant, SingleCamper, being loaded directly from registry into memory and communicating with its loader via a loopback address. In October 2024, Cisco Talos researchers observed RomCom, a Russia-linked threat actor, targeting Ukrainian government agencies and Polish entities. This marked a new wave of attacks that had been ongoing since late 2023. RomCom exploited two zero-day vulnerabilities, allowing it to compromise victims' systems without user interaction. The malware was downloaded and executed from Command and Control (C2) servers like journalctd[.]live, correctiv[.]sbs, or cwise[.]store. The compromise chain involved a fake website redirecting potential victims to the server hosting the exploit. If successful, shellcode was executed that downloaded and executed the RomCom backdoor. RomCom, also known as UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, exploited Firefox and Tor Browser zero-day vulnerabilities in recent attacks on users across Europe and North America. The Russian RomCom group's ability to chain together these vulnerabilities enabled them to launch sophisticated attacks requiring no user interaction.
Description last updated: 2024-11-28T11:53:45.915Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Romcom Backdoor is a possible alias for RomCom. The RomCom backdoor is a malicious software (malware) primarily utilized by the threat actor Void Rabisu, which has been linked to the pro-Russian APT group known as Storm-0978 or the RomCom Group. The malware is typically spread through deceptive websites that redirect potential victims to a server
8
Peapod is a possible alias for RomCom. Peapod is a sophisticated form of malware that has evolved from the RomCom 3.0 backdoor. The cybercriminal group Void Rabisu appears to have transitioned from using RomCom 3.0 to Peapod, which exhibits several architectural differences compared to its predecessor. This new strain, also referred to a
6
Romcom Remote Access Trojan is a possible alias for RomCom. The RomCom Remote Access Trojan (RAT) is a harmful malware that has been evolving and causing significant threats to cybersecurity. Based on the RomCom 3.0 version, it incorporates techniques seen in RomCom 4.0, resulting in the creation of RomCom 5.0. This malware can infiltrate systems via suspici
3
Tropical Scorpius is a possible alias for RomCom. Tropical Scorpius, also known as RomCom, Storm-0978, and UNC2596, is a threat actor group that has been active since at least late 2020. This Russian-based cybercrime group is associated with Cuba ransomware and the RomCom backdoor, and it has exploited various techniques such as Magic bytes, Proces
3
Unc2596 is a possible alias for RomCom. UNC2596, also known as RomCom, Storm-0978, Tropical Scorpius, and Void Rabisu, is a Russian-based cybercrime group that has executed a series of attacks across Europe and North America. The threat actor has exploited two zero-day vulnerabilities in Firefox and Tor Browser in its recent operations. R
3
Snipbot is a possible alias for RomCom. SnipBot is a malicious software program that was first identified in Ukraine and submitted to VirusTotal in December 2023. It uses a custom obfuscation technique and advanced anti-analysis tricks to infiltrate systems undetected. The malware's execution flow begins with an initial EXE downloader, wh
3
Romcom Group is a possible alias for RomCom. The RomCom group, also known as Storm-0978, is a Russia-based threat actor identified for deploying the Underground ransomware. This group has been linked to various advanced cyber campaigns, with their tactics reflecting similarities to their previous attacks. The group's activities have been attri
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Exploit
Rat
Vulnerability
Microsoft
Backdoor
Windows
Zero Day
Ukraine
Apt
Phishing
Payload
Nato
Espionage
Extortion
Firefox
Cybercrime
Trojan
Loader
Downloader
Cuba
Tool
Keepass
Papercut
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cuba Ransomware Malware is associated with RomCom. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insiUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Void Rabisu Threat Actor is associated with RomCom. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In has used
3
The Storm-0978 Threat Actor is associated with RomCom. Storm-0978, also known as RomCom or DEV-0978, is a threat actor group alleged to have connections with Russia. Microsoft, in a blog post published on July 11, 2023, accused this group of exploiting the vulnerability CVE-2023-36884 to install backdoors on target systems. The cybersecurity industry hais related to
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-36884 Vulnerability is associated with RomCom. CVE-2023-36884 is a significant software vulnerability that affects Microsoft Windows, Server, Office, and Outlook. This flaw in the design or implementation of these software platforms allows for remote code execution (RCE), which has been exploited by cybercriminals and potentially state-sponsoredUnspecified
3
The vulnerability CVE-2024-9680 is associated with RomCom. Unspecified
2
Source Document References
Information about the RomCom Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
24 days ago
Securityaffairs
24 days ago
Securityaffairs
a month ago
InfoSecurity-magazine
a month ago
DARKReading
a month ago
Checkpoint
2 months ago
Securityaffairs
2 months ago
Contagio
3 months ago
DARKReading
3 months ago
Unit42
3 months ago
Flashpoint
7 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Unit42
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago