Romcom Group

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
The RomCom Group, also known as Storm-0978, is a pro-Russian Advanced Persistent Threat (APT) group notorious for its advanced cyber campaigns. The group is recognized for their use of the RomCom backdoor, a malware that exploits and damages computer systems to steal personal information, disrupt operations, or hold data hostage for ransom. Their activity has been attributed by the cybersecurity community to financial and espionage motives, often deploying their attacks through suspicious downloads, emails, or websites. In a recent operation, the Cybersecurity and Infrastructure Security Agency (CISA) identified a bug tracked as CVE-2023-36884 being exploited by the RomCom Group. This remote code execution flaw poses significant risks to the federal enterprise, and it's one of many known exploited vulnerabilities that malicious cybersecurity actors frequently use as attack vectors. Microsoft, who referred to the group as Storm-0978, noted that the group commonly uses phishing emails to drop the RomCom backdoor into target systems. BlackBerry's research team has highlighted similarities between the tactics observed in this latest operation and the RomCom group's previous attacks. While the exact method of initial infection remains undisclosed, the team suspects spear-phishing as the primary vector utilized by the group. On July 4th, they discovered two deceptive documents used as lures by the RomCom group, reinforcing the suspicion of spear-phishing as the predominant infiltration strategy.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Romcom Backdoor
2
The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a
RomCom
1
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Exploit
Microsoft
Backdoor
Known Exploi...
Blackberry
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-36884Unspecified
1
CVE-2023-36884 is a significant software vulnerability discovered in Microsoft Windows, Server, Office, and Outlook. It is a flaw in the software design or implementation that allows for remote code execution (RCE), specifically in the Windows Search security feature. This vulnerability was being ac
Source Document References
Information about the Romcom Group Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
8 months ago
In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
CERT-EU
a year ago
CISA to Gov't Agencies: Mitigate a Flaw in Windows and Office
CERT-EU
a year ago
RomCom Group Targets Ukraine Supporters Ahead of NATO Summit
CERT-EU
8 months ago
In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review