Romcom Backdoor

Malware updated 7 months ago (2024-05-04T18:29:33.690Z)

Download STIX

Preview STIX

The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware attacks. The group continues to develop this malware, even a year after this shift, with the latest version being dubbed "ROMCOM 4.0". Notably, the RomCom backdoor was used in typosquatting attacks targeting a July NATO summit. The payload spread by Void Rabisu has evolved over time, as evidenced by differences between recent versions and those analyzed in earlier research entries. One of the most notable exploits involves RTF (Rich Text Format) exploitation, which leads to an outbound connection downloading OLE (Object Linking & Embedding) streams into Office applications, subsequently deploying the RomCom backdoor. The final payload was a new variant of the ROMCOM backdoor, which has targeted industries such as cryptocurrency and regions including Europe, USA, and Latin America. The RomCom backdoor has been linked to various incidents of cyberattacks, including those against politicians in Ukraine and U.S.-based healthcare providers aiding refugees from Ukraine. In August, Void Rabisu leveraged the fourth version of the RomCom backdoor in its campaign against some participants at the Women Political Leaders (WPL) Summit in Brussels, indicating a growing shift in threat actors' goals towards more specific and strategic targets. The pro-Russian APT group known as Storm-0978, also referred to as the RomCom Group due to their use of the RomCom backdoor, has been attributed to these activities.

Description last updated: 2024-05-04T17:43:39.590Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
RomCom is a possible alias for Romcom Backdoor. The RomCom malware, a Remote Access Trojan (RAT), has been linked to Cuba ransomware actors and Industrial Spy ransomware actors, according to third-party and open-source reports. Since spring 2022, the Russian-speaking group UAT-5647, also known as RomCom, has targeted Ukrainian government entities	5
Romcom Group is a possible alias for Romcom Backdoor. The RomCom group, also known as Storm-0978, is a Russia-based threat actor identified for deploying the Underground ransomware. This group has been linked to various advanced cyber campaigns, with their tactics reflecting similarities to their previous attacks. The group's activities have been attri	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Microsoft

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Void Rabisu Threat Actor is associated with Romcom Backdoor. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In	has used	3

Source Document References

Information about the Romcom Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Cyber Storm Unleashed: Unmasking STORM-0978’s Exploitation of the CVE-2023-36884 Vulnerability
CERT-EU	a year ago	Storm-0978 attacks reveal financial and espionage motives \| Microsoft Security Blog
CERT-EU	a year ago	In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review
Unit42	a year ago	In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
BankInfoSecurity	a year ago	Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU	a year ago	RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU	a year ago	Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Trend Micro	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
CERT-EU	a year ago	At least 23 Russian hacker groups targeted Ukraine in 2023, Ukraine’s cyber defense says
CERT-EU	a year ago	Microsoft warns Office admins to block exploitation of zero-day hole \| IT World Canada News
CERT-EU	a year ago	Russia-Linked RomCom Hackers Targeting NATO Summit Guests
CERT-EU	a year ago	Geopolitical Warfare in the Digital Age: The NATO Summit Cyber Incursion
CERT-EU	a year ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU	a year ago	CISA to Gov't Agencies: Mitigate a Flaw in Windows and Office
CERT-EU	a year ago	Microsoft patches 4 actively exploited zero-day bugs, working on a 5th
InfoSecurity-magazine	a year ago	Microsoft Fixes Six Zero-Days This Patch Tuesday