Campaigns
Exploit of Romcom RAT's

Exploit of Romcom RAT's

RATRomcom
The RomCom RAT is a malicious software program used by a threat actor to remotely control compromised systems, often by impersonating well-known brands and deploying fake versions of legitimate software through phishing campaigns.

Indicators of Compromise

aaa.stage.16549040.dns.alleivice.com
teoresp.com
advanced-ip-scaner.com
tinheranter.com
optasko.com
cuba4ikm4jakjgmkeztyawtdgr2xymvy6nvgw5cglswg3si76icnqd.onion
witorophron.com
combinedresidency.org
leftthenhispar.ru
nastylgilast.com
thehentoftbet.ru
toftoflethens.com
notfiled.com
tycahatit.ru
kurvalarva.com
otinrofha.ru
babbedidndu.ru
you-supported.com
johntotrepwron.com
reninparwil.com
vu42i55fqimjx6koo7oqh3zzvy2xghqe7ot4h2ftcv2pimbauupjyqyd.onion
nagirlstylast.com
fabickng.ru
advanced-ip-scanners.com
torsketronand.ru
tandugolastsp.com
ningwitjohnno.ru
dgtlocean.com
4qzm.com
facabeand.com

APT Groups1

RomComRussian Federation
Storm-0978

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REF

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". 

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

Reports & References1

Observed Countries5

BR (192)
GB (853)
PH (380)
UA (41)
US (204)