RomCom

Malware updated 3 days ago (2024-10-15T10:01:33.340Z)

Download STIX

Preview STIX

The RomCom malware, a malicious software that has been active since 2022, is an ongoing cyber threat. This Remote Access Trojan (RAT) is known for its various harmful activities including ransomware attacks, extortion, and targeted credential gathering, primarily aimed at supporting intelligence-gathering operations. Recently, a new variant of this malware, dubbed SnipBot by Palo Alto's Unit 42 researchers, has been discovered, integrating novel obfuscation techniques and exhibiting unique post-infection activities not seen in previous variants such as RomCom 3.0 and PEAPOD/RomCom 4.0. This latest version appears to have been spreading since December, picking up where the last version of RomCom left off. This year, there have been significant developments in the tactics, techniques, and procedures (TTPs) of Cuba ransomware actors. Reports from third-party and open-source platforms suggest a possible link between these actors, RomCom RAT actors, and Industrial Spy ransomware actors. This connection suggests a complex web of cyber threats involving multiple types of malware. The RomCom threat actor has shown particular interest in cyber espionage against Ukraine and its supporters, often deploying ransomware payloads alongside their cyber-espionage activities. Despite occasional instances of ransomware being dropped on systems infected with RomCom in the past, no such incidents were observed in the recent cases studied by Sophos or in our own investigations. The Computer Emergency Response Team of Ukraine (CERT-UA) has published information about the threat group and its operation, given the actor's interest in targeting Ukrainian defense enterprises. It is clear that the RomCom malware remains an active threat, evolving with new versions and strategies, requiring vigilant cybersecurity measures.

Description last updated: 2024-10-15T09:28:09.556Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Peapod is a possible alias for RomCom. Peapod is a sophisticated form of malware that has evolved from the RomCom 3.0 backdoor. The cybercriminal group Void Rabisu appears to have transitioned from using RomCom 3.0 to Peapod, which exhibits several architectural differences compared to its predecessor. This new strain, also referred to a	6
Romcom Backdoor is a possible alias for RomCom. The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a	5
Snipbot is a possible alias for RomCom. SnipBot is a malicious software program that was first identified in Ukraine and submitted to VirusTotal in December 2023. It uses a custom obfuscation technique and advanced anti-analysis tricks to infiltrate systems undetected. The malware's execution flow begins with an initial EXE downloader, wh	3
Romcom Remote Access Trojan is a possible alias for RomCom. The RomCom Remote Access Trojan (RAT) is a harmful malware that has been evolving and causing significant threats to cybersecurity. Based on the RomCom 3.0 version, it incorporates techniques seen in RomCom 4.0, resulting in the creation of RomCom 5.0. This malware can infiltrate systems via suspici	3
Tropical Scorpius is a possible alias for RomCom. Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma	2
Unc2596 is a possible alias for RomCom. UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ransomware

Rat

Microsoft

Backdoor

Nato

Phishing

Payload

Vulnerability

Ukraine

Trojan

Espionage

Extortion

Exploit

Apt

Loader

Downloader

Windows

Keepass

Cybercrime

Papercut

Cuba

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Cuba Ransomware Malware is associated with RomCom. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Void Rabisu Threat Actor is associated with RomCom. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In	has used	3
The Storm-0978 Threat Actor is associated with RomCom. Storm-0978, also known as RomCom or DEV-0978, is a threat actor group alleged to have connections with Russia. Microsoft, in a blog post published on July 11, 2023, accused this group of exploiting the vulnerability CVE-2023-36884 to install backdoors on target systems. The cybersecurity industry ha	is related to	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-36884 Vulnerability is associated with RomCom. CVE-2023-36884 is a significant software vulnerability that affects Microsoft Windows, Server, Office, and Outlook. This flaw in the design or implementation of these software platforms allows for remote code execution (RCE), which has been exploited by cybercriminals and potentially state-sponsored	Unspecified	3

Source Document References

Information about the RomCom Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Contagio	22 days ago	2024-09-23 SNIPBOT RomCom Multi-Stage RAT Samples
DARKReading	24 days ago	RomCom Malware Resurfaces With SnipBot Variant
Unit42	24 days ago	Inside SnipBot: The Latest RomCom Malware Variant
Flashpoint	5 months ago	Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
CERT-EU	7 months ago	Why Is Gender Diversity Important In Cybersecurity? \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	I'm in love with a Nigerian internet fraudster: The women who carry on loving romance scammers even after the man's been exposed as a fraud - and taken them to the cleaners \| #datingscams \| #lovescams \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
CERT-EU	a year ago	CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog
CERT-EU	a year ago	In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review
Unit42	a year ago	In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
BankInfoSecurity	a year ago	Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU	a year ago	RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU	a year ago	RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU	a year ago	Novel RomCom RAT variant used in attacks against female political leaders
DARKReading	a year ago	'RomCom' Cyber Campaign Targets Women Political Leaders
InfoSecurity-magazine	a year ago	New RomCom Backdoor Targets Female Political Leaders
CERT-EU	a year ago	Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU	a year ago	New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Trend Micro	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
CERT-EU	a year ago	At least 23 Russian hacker groups targeted Ukraine in 2023, Ukraine’s cyber defense says