Romcom Group

Threat Actor updated a month ago (2024-11-29T14:01:32.397Z)

Download STIX

Preview STIX

The RomCom group, also known as Storm-0978, is a Russia-based threat actor identified for deploying the Underground ransomware. This group has been linked to various advanced cyber campaigns, with their tactics reflecting similarities to their previous attacks. The group's activities have been attributed by the cybersecurity community to a pro-Russian Advanced Persistent Threat (APT) group. Their notorious reputation stems from their use of the RomCom backdoor, which is an integral part of their malicious operations. The group's recent activity involves exploiting a remote code execution flaw, tracked as CVE-2023-36884. This bug was added by CISA to its list of known exploited vulnerabilities due to its significant risk to federal enterprises. The RomCom group, referred to as Storm-0978 by Microsoft, is known for using phishing emails to drop a backdoor of the same name, further demonstrating their sophisticated cyber attack strategies. The Underground ransomware, believed to be propagated by the RomCom group, presents a substantial threat. While the exact method of initial infection remains undisclosed, spear-phishing is suspected as the primary vector utilized by the group. Notably, on July 4th, two deceptive documents were discovered that were used as lures by the RomCom group, indicating their continued reliance on social engineering tactics for successful cyber intrusions.

Description last updated: 2024-10-17T12:10:10.859Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
RomCom is a possible alias for Romcom Group. RomCom, a malicious software, has been identified as a significant cyber threat. Reports from third-party and open-source intelligence since spring 2022 have indicated a connection between RomCom Remote Access Trojan (RAT) actors, Cuba ransomware actors, and Industrial Spy ransomware actors. The mal	2
Romcom Backdoor is a possible alias for Romcom Group. The RomCom backdoor is a malicious software (malware) primarily utilized by the threat actor Void Rabisu, which has been linked to the pro-Russian APT group known as Storm-0978 or the RomCom Group. The malware is typically spread through deceptive websites that redirect potential victims to a server	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Exploit

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Romcom Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Russian group RomCom exploited Firefox and Tor Browser zero-days to target attacks Europe and North America
Contagio	4 months ago	2024-08-29 UNDERGROUND Ransomware Samples
Fortinet	4 months ago	Ransomware Roundup - Underground \| FortiGuard Labs
Unit42	a year ago	In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
CERT-EU	a year ago	CISA to Gov't Agencies: Mitigate a Flaw in Windows and Office
CERT-EU	a year ago	RomCom Group Targets Ukraine Supporters Ahead of NATO Summit
CERT-EU	a year ago	In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review