ROMCOM RAT
The ROMCOM RAT is a threatening backdoor that is being used by threat developers named Tropical Scorpius, which is related to the Cuba Ransomware, also known as COLDDRAW.
The ROMCOM RAT is programmed to delete ransom files, collect the list of the processes being executed, start a reverse shell and transfer data to a remote server. The ROMCOM RAT is still being developed and, in June/2022, a different sample was uploaded to the database of a security company.
The first version of the ROMCOM RAT supports ten commands:
- Disable a determined directory
- Put back book listings on a determined directory
- Recapitulate via active processes and gather action Ids
- Put back affiliated drive data
- Expunge determined file
- Transfer hypotheticals to C2 as ZIP files, and applications IShellDispatch to archetype files
- Can be operated by ServiceMain only, familiar to C2 server and command the action to beddy-bye for 120,000 ms
- Initiates a reversal structure below the name svchelper.exe audio and the %ProgramData% folder
- Download hypotheticals and label the worker.txt in the %ProgramData% folder
- Generates an activity in the PID Spoofing
The new variant provides improved assistance to 22 new commands, which include the capability of catching payloads to seize screenshots and to collect a list of installed applications and transmit it to the server of its developers. Tropical Scorpius is working non-stop to improve its weapons, and each time a new threat is released, it becomes more sophisticated.