The ROMCOM RAT is a novel malware threat believed to be part of the arsenal of a cybercriminal gang infamous for ransomware attacks. This new Remote Access Trojan threat appears to be under rapid development with the more recent versions boasting expanded functionality and intrusive features. Details about the threat family were revealed in a report by Palo Alto Networks' Unit 42 threat intelligence team.

According to their findings, the ROMCOM RAT is created by the Tropical Scorpuis cybercriminal group, the operators behind Cuba Ransomware (COLDDRAW). The ransomware threat has so far been leveraged against 60 victims spread across five crucial infrastructure sectors. Out of the victims found on the group's data leak site, 40 are located in the U.S.

The initial versions of ROMCOM RAT already had significant intrusion capabilities. The threat was able to start a reverse shell and execute commands, delete chosen files, exfiltrate data to a remote server controlled by the threat actors, and compile a list of all currently running processes on the breached devices. However, infosec researchers quickly detected an updated sample with a considerably increased set of features. The newer ROMCOM sample recognized a total of 22 commands and could now deliver additional payloads to victims' machines, capture screenshots, and extract a list containing all installed applications.


Most Viewed