RomCom

Malware updated a day ago (2024-10-22T21:00:58.265Z)
Download STIX
Preview STIX
The RomCom malware, a Remote Access Trojan (RAT), has been linked to Cuba ransomware actors and Industrial Spy ransomware actors, according to third-party and open-source reports. Since spring 2022, the Russian-speaking group UAT-5647, also known as RomCom, has targeted Ukrainian government entities and Polish organizations with updated variants of RomCom malware. This year, these actors have added new techniques to their tactics, techniques, and procedures (TTPs), enhancing their capabilities for network reconnaissance, data exfiltration, and establishing remote tunnels between targeted endpoints and attacker-controlled servers. RomCom's recent attacks have seen an increase in data exfiltration from Ukrainian targets, marking a shift from its previous focus on ransomware attacks and cyber espionage campaigns. The group has deployed an updated variant of the RomCom RAT, dubbed 'SingleCamper,' which is loaded directly from the registry into memory and uses a loopback address for communication with its loader. Since late 2023, the Russia-linked threat actor has launched a new wave of attacks against Ukrainian government agencies and Polish entities. The RomCom threat actor, active since at least 2022, is interested in cyber espionage against Ukraine and its supporters. The Computer Emergency Response Team of Ukraine (CERT-UA) has published information about the group and its operations. The latest version of the malware, SNIPBOT RomCom, integrates novel obfuscation techniques and exhibits distinct post-infection activities not seen in previous variants. Despite ongoing efforts to counteract its activities, RomCom remains an active threat, engaging in various nefarious activities including ransomware, extortion, and targeted credential gathering to support intelligence-gathering operations.
Description last updated: 2024-10-22T17:43:13.372Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Peapod is a possible alias for RomCom. Peapod is a sophisticated form of malware that has evolved from the RomCom 3.0 backdoor. The cybercriminal group Void Rabisu appears to have transitioned from using RomCom 3.0 to Peapod, which exhibits several architectural differences compared to its predecessor. This new strain, also referred to a
6
Romcom Backdoor is a possible alias for RomCom. The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a
5
Romcom Remote Access Trojan is a possible alias for RomCom. The RomCom Remote Access Trojan (RAT) is a harmful malware that has been evolving and causing significant threats to cybersecurity. Based on the RomCom 3.0 version, it incorporates techniques seen in RomCom 4.0, resulting in the creation of RomCom 5.0. This malware can infiltrate systems via suspici
3
Snipbot is a possible alias for RomCom. SnipBot is a malicious software program that was first identified in Ukraine and submitted to VirusTotal in December 2023. It uses a custom obfuscation technique and advanced anti-analysis tricks to infiltrate systems undetected. The malware's execution flow begins with an initial EXE downloader, wh
3
Tropical Scorpius is a possible alias for RomCom. Tropical Scorpius, also known as Void Rabisu, Storm-0978, and UNC2596, is a significant threat actor in the cybersecurity landscape. Initially appearing on the radar in late 2020, the group gained notoriety for its deployment of Cuba ransomware and association with the RomCom backdoor. This maliciou
2
Unc2596 is a possible alias for RomCom. UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been active since at least late 2023, with cybersecurity firm Trend Micro identifying the group's activities of honing a backdo
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Rat
Microsoft
Backdoor
Nato
Payload
Ukraine
Vulnerability
Phishing
Exploit
Trojan
Espionage
Loader
Extortion
Apt
Downloader
Windows
Tool
Cybercrime
Papercut
Cuba
Keepass
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cuba Ransomware Malware is associated with RomCom. The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insiUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Void Rabisu Threat Actor is associated with RomCom. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In has used
3
The Storm-0978 Threat Actor is associated with RomCom. Storm-0978, also known as RomCom or DEV-0978, is a threat actor group alleged to have connections with Russia. Microsoft, in a blog post published on July 11, 2023, accused this group of exploiting the vulnerability CVE-2023-36884 to install backdoors on target systems. The cybersecurity industry hais related to
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-36884 Vulnerability is associated with RomCom. CVE-2023-36884 is a significant software vulnerability that affects Microsoft Windows, Server, Office, and Outlook. This flaw in the design or implementation of these software platforms allows for remote code execution (RCE), which has been exploited by cybercriminals and potentially state-sponsoredUnspecified
3
Source Document References
Information about the RomCom Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
a day ago
Securityaffairs
6 days ago
Contagio
a month ago
DARKReading
a month ago
Unit42
a month ago
Flashpoint
5 months ago
CERT-EU
7 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
Unit42
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
DARKReading
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago