Romcom Group

Malware updated 17 days ago (2024-08-30T17:17:56.012Z)

Download STIX

Preview STIX

The RomCom Group, also known as Storm-0978, is a Russia-based malware entity notorious for its advanced cyber campaigns. This group has been attributed to the deployment of the Underground ransomware and is recognized for its use of the RomCom backdoor. The group's activities have been linked to both financial and espionage motives. They are well-known for their sophisticated techniques, often using phishing emails to infiltrate systems. The cybersecurity community attributes these activities to a pro-Russian Advanced Persistent Threat (APT) group. In recent developments, the Cybersecurity and Infrastructure Security Agency (CISA) identified a bug, tracked as CVE-2023-36884, which is being exploited by the RomCom group. This remote code execution flaw poses significant risks to federal enterprises and is frequently used as an attack vector by malicious cybersecurity actors. Microsoft has referred to this group as Storm-0978, highlighting its reputation for deploying malware through seemingly harmless downloads, emails, or websites. BlackBerry has noted that the tactics observed in the RomCom group's recent operations bear similarities with their previous attacks. While the exact method of initial infection remains undisclosed, it is suspected that spear-phishing is the primary vector utilized by the group. On July 4, two deceptive documents were discovered, believed to be used as lures by the RomCom group. These findings further underscore the group's persistent threat to cybersecurity and the need for continued vigilance against such sophisticated attacks.

Description last updated: 2024-08-30T17:15:57.637Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Romcom Backdoor	2	The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Romcom Group Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Contagio	14 days ago	2024-08-29 UNDERGROUND Ransomware Samples
Fortinet	17 days ago	Ransomware Roundup - Underground \| FortiGuard Labs
Unit42	10 months ago	In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
CERT-EU	a year ago	CISA to Gov't Agencies: Mitigate a Flaw in Windows and Office
CERT-EU	a year ago	RomCom Group Targets Ukraine Supporters Ahead of NATO Summit
CERT-EU	10 months ago	In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review