Romcom Backdoor

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware attacks. The group continues to develop this malware, even a year after this shift, with the latest version being dubbed "ROMCOM 4.0". Notably, the RomCom backdoor was used in typosquatting attacks targeting a July NATO summit. The payload spread by Void Rabisu has evolved over time, as evidenced by differences between recent versions and those analyzed in earlier research entries. One of the most notable exploits involves RTF (Rich Text Format) exploitation, which leads to an outbound connection downloading OLE (Object Linking & Embedding) streams into Office applications, subsequently deploying the RomCom backdoor. The final payload was a new variant of the ROMCOM backdoor, which has targeted industries such as cryptocurrency and regions including Europe, USA, and Latin America. The RomCom backdoor has been linked to various incidents of cyberattacks, including those against politicians in Ukraine and U.S.-based healthcare providers aiding refugees from Ukraine. In August, Void Rabisu leveraged the fourth version of the RomCom backdoor in its campaign against some participants at the Women Political Leaders (WPL) Summit in Brussels, indicating a growing shift in threat actors' goals towards more specific and strategic targets. The pro-Russian APT group known as Storm-0978, also referred to as the RomCom Group due to their use of the RomCom backdoor, has been attributed to these activities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
RomCom
5
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Void Rabisu
3
Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
Romcom Group
2
The RomCom Group, also known as Storm-0978, is a pro-Russian Advanced Persistent Threat (APT) group notorious for its advanced cyber campaigns. The group is recognized for their use of the RomCom backdoor, a malware that exploits and damages computer systems to steal personal information, disrupt op
Peapod
1
PEAPOD, a novel variant of the RomCom RAT malware, was discovered to have been used in targeted attacks against female political leaders who participated in the Women Political Leaders Summit in June. The threat operation responsible for these attacks is known as Void Rabisu, also referred to as Sto
Storm-0978
1
Storm-0978, also known as RomCom or DEV-0978, is a threat actor group alleged to have connections with Russia. Microsoft, in a blog post published on July 11, 2023, accused this group of exploiting the vulnerability CVE-2023-36884 to install backdoors on target systems. The cybersecurity industry ha
Tropical Scorpius
1
Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Apt
Malware
Microsoft
Infostealer
Nato
Ukraine
Payload
Backdoor
Exploit
Espionage
Phishing
Loader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cuba RansomwareUnspecified
1
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Unc2596Unspecified
1
UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Romcom Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Cyber Storm Unleashed: Unmasking STORM-0978’s Exploitation of the CVE-2023-36884 Vulnerability
CERT-EU
a year ago
Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog
CERT-EU
8 months ago
In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review
Unit42
8 months ago
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
BankInfoSecurity
9 months ago
Women Political Leaders Targeted With RomCom RAT Variant
CERT-EU
9 months ago
RomCom Malware Group Targets EU Gender Equality Summit
CERT-EU
9 months ago
Women Political Leaders Summit targeted in RomCom malware phishing
CERT-EU
9 months ago
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
Trend Micro
9 months ago
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
CERT-EU
10 months ago
At least 23 Russian hacker groups targeted Ukraine in 2023, Ukraine’s cyber defense says
CERT-EU
a year ago
Microsoft warns Office admins to block exploitation of zero-day hole | IT World Canada News
CERT-EU
a year ago
Russia-Linked RomCom Hackers Targeting NATO Summit Guests
CERT-EU
a year ago
Geopolitical Warfare in the Digital Age: The NATO Summit Cyber Incursion
CERT-EU
a year ago
Anomali Cyber Watch: Cadet Blizzard - New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
CERT-EU
a year ago
CISA to Gov't Agencies: Mitigate a Flaw in Windows and Office
CERT-EU
a year ago
Microsoft patches 4 actively exploited zero-day bugs, working on a 5th
InfoSecurity-magazine
a year ago
Microsoft Fixes Six Zero-Days This Patch Tuesday