Romcom Rat

Malware updated 4 months ago (2024-05-04T18:55:08.911Z)

Download STIX

Preview STIX

RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ransomware attacks. They moved laterally using Impacket, a software that enables such operations. However, security researchers and the Ukrainian government are still skeptical about attributing these activities directly to Russian government hackers. In October 2023, Microsoft patched a vulnerability (CVE-2023-36584) which was reportedly used in conjunction with another Windows remote code execution vulnerability (CVE-2023-36884) to deliver an updated version of RomCom RAT named PEAPOD. This new variant of RomCom RAT was utilized by the Void Rabisu threat operation, also known as Storm-0978, UNC2596, and Tropical Scorpius. The group targeted female political leaders who participated in the Women Political Leaders Summit in June, distributing the malware through a deceptive website mimicking the legitimate domain of the summit. RomCom RAT has demonstrated the ability to interact with a C2 server to receive and execute commands on the victim's machine, showcasing its increasing sophistication over time. It also includes defense evasion techniques, indicating a steady evolution in its capabilities. A new campaign delivering an updated version of RomCom RAT called PEAPOD has specifically targeted European Union military personnel and political leaders working on gender equality initiatives. This indicates a strategic shift in target selection, possibly aiming to disrupt political processes or leverage sensitive information for coercive purposes.

Description last updated: 2024-05-04T16:33:39.646Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
RomCom	4	RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Nato

Malware

Phishing

Trojan

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Cuba Ransomware	Unspecified	3	The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
Cuba	Unspecified	2	The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w

Source Document References

Information about the Romcom Rat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog
CERT-EU	a year ago	SpyNote Android trojan detailed
CERT-EU	a year ago	Android spyware deployed via fraudulent Israeli rocket alert app
CERT-EU	a year ago	Israel, Gaza relief groups subjected to DDoS attacks
CERT-EU	a year ago	Novel RomCom RAT variant used in attacks against female political leaders
CERT-EU	a year ago	Ransomware attack claims against Colonial Pipeline linked to third-party breach
CERT-EU	a year ago	Google trending Ransomware news headlines for the day - Cybersecurity Insiders
CERT-EU	a year ago	New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU	a year ago	New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU	a year ago	Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
Securityaffairs	a year ago	Google TAG warns of Russia-linked APT groups targeting Ukraine
CERT-EU	a year ago	RomCom Threat Actor Targets Ukrainian Politicians, US Healthcare
Securityaffairs	a year ago	RomCom RAT attackers target groups supporting NATO membership of Ukraine
BankInfoSecurity	a year ago	Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit
CISA	2 years ago	#StopRansomware: Cuba Ransomware \| CISA
CISA	2 years ago	#StopRansomware: Cuba Ransomware \| CISA
CERT-EU	a year ago	Cybercriminals who targeted Ukraine are actually Russian government hackers, researchers say
CERT-EU	a year ago	Cuba ransomware believed to be Russian state-backed operation
CERT-EU	a year ago	SiegedSec Hacktivist Claims to Strike NATO and Leak Sensitive Docs
CERT-EU	a year ago	Patch Tuesday. Four zero-days fixed, one mitigated in Microsoft's largest update this year