Romcom Group

Threat Actor updated a month ago (2024-10-17T13:00:59.228Z)

Download STIX

Preview STIX

The RomCom group, also known as Storm-0978, is a Russia-based threat actor identified for deploying the Underground ransomware. This group has been linked to various advanced cyber campaigns, with their tactics reflecting similarities to their previous attacks. The group's activities have been attributed by the cybersecurity community to a pro-Russian Advanced Persistent Threat (APT) group. Their notorious reputation stems from their use of the RomCom backdoor, which is an integral part of their malicious operations. The group's recent activity involves exploiting a remote code execution flaw, tracked as CVE-2023-36884. This bug was added by CISA to its list of known exploited vulnerabilities due to its significant risk to federal enterprises. The RomCom group, referred to as Storm-0978 by Microsoft, is known for using phishing emails to drop a backdoor of the same name, further demonstrating their sophisticated cyber attack strategies. The Underground ransomware, believed to be propagated by the RomCom group, presents a substantial threat. While the exact method of initial infection remains undisclosed, spear-phishing is suspected as the primary vector utilized by the group. Notably, on July 4th, two deceptive documents were discovered that were used as lures by the RomCom group, indicating their continued reliance on social engineering tactics for successful cyber intrusions.

Description last updated: 2024-10-17T12:10:10.859Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Romcom Backdoor is a possible alias for Romcom Group. The RomCom backdoor, a malicious software, is primarily used by the threat actor Void Rabisu, also known as Tropical Scorpius or Storm-0978. This malware has been associated with Cuba ransomware and has been notably deployed in cyberespionage activities, shifting away from opportunistic ransomware a	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apt

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Romcom Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Contagio	3 months ago	2024-08-29 UNDERGROUND Ransomware Samples
Fortinet	3 months ago	Ransomware Roundup - Underground \| FortiGuard Labs
Unit42	a year ago	In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584
CERT-EU	a year ago	CISA to Gov't Agencies: Mitigate a Flaw in Windows and Office
CERT-EU	a year ago	RomCom Group Targets Ukraine Supporters Ahead of NATO Summit
CERT-EU	a year ago	In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584 - Cyber Security Review