Romcom Rat

RomCom RAT, a type of malware, has been linked to Cuba ransomware and Industrial Spy ransomware actors since spring 2022. These malicious actors have been observed deploying the RomCom RAT and Meterpreter Reverse Shell HTTP/HTTPS proxy via a Command and Control (C2) server before initiating their ransomware attacks. They moved laterally using Impacket, a software that enables such operations. However, security researchers and the Ukrainian government are still skeptical about attributing these activities directly to Russian government hackers. In October 2023, Microsoft patched a vulnerability (CVE-2023-36584) which was reportedly used in conjunction with another Windows remote code execution vulnerability (CVE-2023-36884) to deliver an updated version of RomCom RAT named PEAPOD. This new variant of RomCom RAT was utilized by the Void Rabisu threat operation, also known as Storm-0978, UNC2596, and Tropical Scorpius. The group targeted female political leaders who participated in the Women Political Leaders Summit in June, distributing the malware through a deceptive website mimicking the legitimate domain of the summit. RomCom RAT has demonstrated the ability to interact with a C2 server to receive and execute commands on the victim's machine, showcasing its increasing sophistication over time. It also includes defense evasion techniques, indicating a steady evolution in its capabilities. A new campaign delivering an updated version of RomCom RAT called PEAPOD has specifically targeted European Union military personnel and political leaders working on gender equality initiatives. This indicates a strategic shift in target selection, possibly aiming to disrupt political processes or leverage sensitive information for coercive purposes.