Romcom Backdoor

Malware updated a month ago (2024-11-29T13:58:23.568Z)

Download STIX

Preview STIX

The RomCom backdoor is a malicious software (malware) primarily utilized by the threat actor Void Rabisu, which has been linked to the pro-Russian APT group known as Storm-0978 or the RomCom Group. The malware is typically spread through deceptive websites that redirect potential victims to a server hosting an exploit. If successful, shellcode is executed that downloads and runs the RomCom backdoor on the victim's computer. This activity is often associated with cyberespionage and ransomware attacks, with a particular emphasis on the cryptocurrency industry in Europe, USA, and Latin America. Almost a year after shifting its focus from opportunistic ransomware attacks to cyberespionage, Void Rabisu continued to develop the RomCom backdoor. An updated version of this malware, dubbed "ROMCOM 4.0" or "PEAPOD," was identified as the final payload in several attacks. The compromise chain involved a fake website that redirected the potential victim to the server hosting the exploit; if the exploit succeeded, shellcode was executed that downloaded and executed the RomCom backdoor. Notably, this malware was found to exploit Firefox and Windows zero-days in the wild. RomCom backdoor has been used in various targeted attacks, including those against politicians in Ukraine and U.S.-based healthcare providers offering aid to refugees from Ukraine. The malware was also deployed in typosquatting attacks aimed at a July NATO summit. The BlackBerry research team reported that the exploit uses RTF (Rich Text Format) exploitation, leading to an outbound connection downloading OLE (Object Linking & Embedding) streams into the Office application, further deploying the RomCom backdoor.

Description last updated: 2024-11-28T11:54:04.348Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
RomCom is a possible alias for Romcom Backdoor. RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The mal	8
Romcom Group is a possible alias for Romcom Backdoor. The RomCom group, also known as Storm-0978, is a Russia-based threat actor identified for deploying the Underground ransomware. This group has been linked to various advanced cyber campaigns, with their tactics reflecting similarities to their previous attacks. The group's activities have been attri	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Malware

Ransomware

Backdoor

Microsoft

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Void Rabisu Threat Actor is associated with Romcom Backdoor. Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In	has used	3

Source Document References

Information about the Romcom Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Russian group RomCom exploited Firefox and Tor Browser zero-days to target attacks Europe and North America
InfoSecurity-magazine	a month ago	Russian RomCom APT Group Leverages Zero-Day Flaws in Firefox, Windows
DARKReading	a month ago	'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor
CERT-EU	a year ago	Cyber Storm Unleashed: Unmasking STORM-0978’s Exploitation of the CVE-2023-36884 Vulnerability
CERT-EU	a year ago	Storm-0978 attacks reveal financial and espionage motives \| Microsoft Security Blog
CERT-EU	a year ago	In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review
Unit42	a year ago	In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
BankInfoSecurity	a year ago	Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU	a year ago	RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU	a year ago	Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Trend Micro	a year ago	Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
CERT-EU	a year ago	At least 23 Russian hacker groups targeted Ukraine in 2023, Ukraine’s cyber defense says
CERT-EU	a year ago	Microsoft warns Office admins to block exploitation of zero-day hole \| IT World Canada News
CERT-EU	a year ago	Russia-Linked RomCom Hackers Targeting NATO Summit Guests
CERT-EU	a year ago	Geopolitical Warfare in the Digital Age: The NATO Summit Cyber Incursion
CERT-EU	2 years ago	Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU	a year ago	CISA to Gov't Agencies: Mitigate a Flaw in Windows and Office
CERT-EU	a year ago	Microsoft patches 4 actively exploited zero-day bugs, working on a 5th
InfoSecurity-magazine	a year ago	Microsoft Fixes Six Zero-Days This Patch Tuesday