Pulse Detail — Threat Intelligence

PULSE NAME

Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals

WHITE Void Rabisu AlienVault 2023-05-30 Modified: 2023-06-29

IOCs

HIGH VOLUME

Void Rabisu, a malicious actor believed to be associated with the RomCom backdoor, was thought to be driven by financial gain because of its ransomware attacks. Trend Micro researchers have discovered that the use of RomCom in recent attacks suggests that they have changed to geopolitical motivations.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1027 T1566 T1071 T1113 T1219 T1555 T1571 T1546 T1583

MALWARE FAMILIES

ROMCOM RAT

Indicators of Compromise (88)

All domain FileHash-SHA256 FileHash-SHA1

TYPE	INDICATOR	DESCRIPTION	CREATED
domain	mansoftwarecoz.com	—	2023-05-30
domain	chatgpt4beta.com	—	2023-05-30
domain	4qzm.com	—	2023-05-30
domain	cozy-sofware.com	—	2023-05-30
domain	veeame.com	—	2023-05-30
domain	dirwinstat.com	—	2023-05-30
domain	nerobiom.com	—	2023-05-30
domain	winscpn.com	—	2023-05-30
domain	devolrdm.com	—	2023-05-30
domain	mypodsblocked.com	—	2023-05-30
domain	dgtlocean.com	—	2023-05-30
domain	you-supported.com	—	2023-05-30
domain	wormakejean.com	—	2023-05-30
domain	rdpcamp.com	—	2023-05-30
domain	singularlabs.org	—	2023-05-30
domain	pdfilier.com	—	2023-05-30
domain	kee-pass.com	—	2023-05-30
domain	lnfo-messengers.com	—	2023-05-30
domain	gllmp.com	—	2023-05-30
domain	gotomeet.us	—	2023-05-30
domain	pdf-filer.com	—	2023-05-30
domain	hexactor.com	—	2023-05-30
domain	sparklingprice.com	—	2023-05-30
domain	astrachat.us	—	2023-05-30
domain	nexiandevel.com	—	2023-05-30
domain	astrachats.com	—	2023-05-30
domain	remsoftman.com	—	2023-05-30
domain	vectordmanagesoft.com	—	2023-05-30
domain	kagomadb.com	—	2023-05-30
domain	advanced-ip-scaner.com	—	2023-05-30
domain	pdffiller-review.com	—	2023-05-30
domain	putmastering.com	—	2023-05-30
domain	rdp-devolutions.com	—	2023-05-30
domain	convertmypdfnow.net	—	2023-05-30
domain	wveeam.com	—	2023-05-30
domain	pdfillers.com	—	2023-05-30
domain	hl-analytics.net	—	2023-05-30
domain	decropingsof.com	—	2023-05-30
domain	advanced-ip-scanners.com	—	2023-05-30
domain	pdffreader.com	—	2023-05-30
domain	singlesign.online	—	2023-05-30
domain	decropsoftware.com	—	2023-05-30
domain	icarusoftwares.com	—	2023-05-30
domain	keepasss.info	—	2023-05-30
domain	cnealsoftware.com	—	2023-05-30
domain	keepas.org	—	2023-05-30
domain	readerpdf.net	—	2023-05-30
domain	npm-solar.com	—	2023-05-30
domain	startleague.net	—	2023-05-30
domain	pass-shield.com	—	2023-05-30
domain	wexonlake.com	—	2023-05-30
domain	combinedresidency.org	—	2023-05-30
domain	gangstergo.com	—	2023-05-30
domain	notfiled.com	—	2023-05-30
domain	optasko.com	—	2023-05-30
domain	devolutionrdp.com	—	2023-05-30
FileHash-SHA256	7424de0984159e0c01da89a429e036835f253de35ec2bdade0b91db906ec54ec	—	2023-05-30
FileHash-SHA256	3b26e27031a00a32f3616de5179a003951a9c92381cd8ec552d39f7285ff42ee	—	2023-05-30
FileHash-SHA256	8d805014ceb45195be5bab07a323970a1aa8bc60cdc529712bccaf6f3103e6a6	—	2023-05-30
FileHash-SHA256	3e293680e0f78e404fccb1ed6daa0b49d3f6ea71c81dbaa53092b7dd32e81a0d	—	2023-05-30
FileHash-SHA256	116ec1c306a2ee93ad5371d189bdbc15b23588be0322622b329f763c7f8622f1	—	2023-05-30
FileHash-SHA256	6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d	—	2023-05-30
FileHash-SHA256	6a3a0606293941ce9c3cebe0a3e63d7cdc6fb92fd4507d99b14c7675dd29ab40	—	2023-05-30
FileHash-SHA256	916153d8265a2f9344648e302c6b7b8d7e1f40f704b0df83edde43986ab68e56	—	2023-05-30
FileHash-SHA256	96d1cd0a6038ee295b02f038a30ac756bae0ee5ae26f5a64637adf86777d7e14	—	2023-05-30
FileHash-SHA256	ff8eccca561e07a4d3b1a229b307cd1e787fe9fe21a781f361e3f01750def89c	—	2023-05-30
FileHash-SHA256	7c72e817069bc966a8166a701da397508d44fe9da0e72a047fcf3d694eee81e9	—	2023-05-30
FileHash-SHA256	e58fcd4a8d13cb1847f08fd3db6f86473c589f935bcf76ff2837bfac3e8f8f6e	—	2023-05-30
FileHash-SHA256	597dd1e09bd23cd18132ce27a731d0b66c78381e90292ece0f23738773743a7c	—	2023-05-30
FileHash-SHA256	45bfc3928dd2bb3f7ed388ddd0e109b93aebe3dd0e22609d743673c6c0425732	—	2023-05-30
FileHash-SHA256	a552b0b1c948e0ef4e51088f059c280a967ff40bf93ff9d62ebeb74e80f36fc5	—	2023-05-30
FileHash-SHA256	244885707e1ccfb02160ae60d749bafcfbcfd1d2572afed9113010609cd43820	—	2023-05-30
FileHash-SHA256	3e7bf3a34c4dfa6abfce8254f213cbc98331504fa956b8d35e0961966593034f	—	2023-05-30
FileHash-SHA256	615bfe8f7f3903bb380f59bca6339d1b37125cc9d303f935e7197ff0706fded7	—	2023-05-30
FileHash-SHA256	ad39ad35084d8339744299def3af979e666add8103ebd706de3cd1430d3ca8a1	—	2023-05-30
FileHash-SHA256	65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d	—	2023-05-30
FileHash-SHA256	6284fb51d5f94d20bcd98a56a69e02ffc45c2991e1f88f6ba97e7d2a9674332c	—	2023-05-30
FileHash-SHA256	ca0ccf331b2545102452e3b505a64444f50ab00d406564dda6ea5987f0194208	—	2023-05-30
FileHash-SHA256	0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a	—	2023-05-30
FileHash-SHA256	555ef671179b83989858b6d084b3aee0a379c9d8c75ca292961373d3b71315f8	—	2023-05-30
FileHash-SHA256	ac1fce0ca42f05d54dfbf96415d558f9de1c87abc940531a051536d97bee5c32	—	2023-05-30
FileHash-SHA256	dd65c3ad7473f211ae661ccc37f8017b9697dfffb75d415cb035399c14bc1bc9	—	2023-05-30
FileHash-SHA256	2ba51d7e338242bc6a8109317b91dd13137e296693c535ceacc1288775acc81f	—	2023-05-30
FileHash-SHA256	8b27b0482330d0cb38ac7b578576de5658faeba242d2abc9d94289271e2d16b3	—	2023-05-30
FileHash-SHA256	e7914f823ed0763c7a03c3cfdbcf9344e1da93597733ac22fe3d31a5a4e179aa	—	2023-05-30
FileHash-SHA1	fb73c97c17fdd5313a1a32dac5d0f226cee8f316	—	2023-05-30
FileHash-SHA1	af5c5274d7b850e0b95138580f98ff1f16845905	—	2023-05-30
FileHash-SHA1	607275dd0dd4e29542ef1a2c97475379a2e37cb8	—	2023-05-30

References (1)

↗ https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html