Romcom Rat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ransomware attacks. They moved laterally using Impacket, a software that enables such operations. However, security researchers and the Ukrainian government are still skeptical about attributing these activities directly to Russian government hackers. In October 2023, Microsoft patched a vulnerability (CVE-2023-36584) which was reportedly used in conjunction with another Windows remote code execution vulnerability (CVE-2023-36884) to deliver an updated version of RomCom RAT named PEAPOD. This new variant of RomCom RAT was utilized by the Void Rabisu threat operation, also known as Storm-0978, UNC2596, and Tropical Scorpius. The group targeted female political leaders who participated in the Women Political Leaders Summit in June, distributing the malware through a deceptive website mimicking the legitimate domain of the summit. RomCom RAT has demonstrated the ability to interact with a C2 server to receive and execute commands on the victim's machine, showcasing its increasing sophistication over time. It also includes defense evasion techniques, indicating a steady evolution in its capabilities. A new campaign delivering an updated version of RomCom RAT called PEAPOD has specifically targeted European Union military personnel and political leaders working on gender equality initiatives. This indicates a strategic shift in target selection, possibly aiming to disrupt political processes or leverage sensitive information for coercive purposes.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
RomCom
4
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Peapod
1
PEAPOD, a novel variant of the RomCom RAT malware, was discovered to have been used in targeted attacks against female political leaders who participated in the Women Political Leaders Summit in June. The threat operation responsible for these attacks is known as Void Rabisu, also referred to as Sto
Unc2596
1
UNC2596, also known as Void Rabisu, Tropical Scorpius, and Storm-0978, is a hybrid threat actor involved in both financially motivated and espionage attacks. This group has been refining its tactics and techniques, utilizing backdoor attacks that have targeted various high-profile events, including
Tropical Scorpius
1
Tropical Scorpius is a notorious malware, first identified in late 2020, associated with the Cuba ransomware gang. This malicious software has been linked to multiple cybercriminal activities, including disrupting operations, stealing personal information, and holding data hostage for ransom. The ma
Void Rabisu
1
Void Rabisu, also known as Storm-0978, UNC2596, and Tropical Scorpius, is a malicious software (malware) notable for its use of the ROMCOM backdoor. This malware has been involved in numerous attacks, including those targeting attendees of the Women Political Leaders Summit (WPL Summit) in 2023. In
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Nato
Phishing
Trojan
Ransomware
Espionage
Proxy
T1090
Vulnerability
Windows
Keepass
Ukraine
Cybercrime
Exploit
Acrobat
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cuba RansomwareUnspecified
3
The Cuba ransomware is a malicious software that first appeared on cybersecurity radars in late 2020 under the name "Tropical Scorpius." It is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites without the user's knowledge. Once insi
CubaUnspecified
2
The Cuba ransomware, a malicious software active since 2019, has been linked to a series of escalating attacks on US entities and European leaders. The criminal group behind the malware, known by various aliases such as Void Rabisu, UNC2596, Tropical Scorpius, and Storm-0978, has recently targeted w
MeterpreterUnspecified
1
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-36584Unspecified
1
None
CVE-2023-36884Unspecified
1
CVE-2023-36884 is a significant software vulnerability discovered in Microsoft Windows, Server, Office, and Outlook. It is a flaw in the software design or implementation that allows for remote code execution (RCE), specifically in the Windows Search security feature. This vulnerability was being ac
Source Document References
Information about the Romcom Rat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog
CERT-EU
9 months ago
SpyNote Android trojan detailed
CERT-EU
9 months ago
Android spyware deployed via fraudulent Israeli rocket alert app
CERT-EU
9 months ago
Israel, Gaza relief groups subjected to DDoS attacks
CERT-EU
9 months ago
Novel RomCom RAT variant used in attacks against female political leaders
CERT-EU
9 months ago
Ransomware attack claims against Colonial Pipeline linked to third-party breach
CERT-EU
9 months ago
Google trending Ransomware news headlines for the day - Cybersecurity Insiders
CERT-EU
9 months ago
New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU
9 months ago
New PEAPOD Cyberattack Campaign Targeting Women Political Leaders
CERT-EU
a year ago
Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack
Securityaffairs
a year ago
Google TAG warns of Russia-linked APT groups targeting Ukraine
CERT-EU
a year ago
RomCom Threat Actor Targets Ukrainian Politicians, US Healthcare
Securityaffairs
a year ago
RomCom RAT attackers target groups supporting NATO membership of Ukraine
BankInfoSecurity
a year ago
Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit
CISA
a year ago
#StopRansomware: Cuba Ransomware | CISA
CISA
a year ago
#StopRansomware: Cuba Ransomware | CISA
CERT-EU
a year ago
Cybercriminals who targeted Ukraine are actually Russian government hackers, researchers say
CERT-EU
a year ago
Cuba ransomware believed to be Russian state-backed operation
CERT-EU
a year ago
SiegedSec Hacktivist Claims to Strike NATO and Leak Sensitive Docs
CERT-EU
a year ago
Patch Tuesday. Four zero-days fixed, one mitigated in Microsoft's largest update this year