ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool RomeoBravo

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: RomeoBravo

NamesRomeoBravo
BravoNC
CategoryMalware
TypeBackdoor
Description(SecurityWeek) A new sample of WannaCry emerged in late March, and five organizations were infected with it. The RomeoAlfa and BravoNC backdoors were employed in these attacks, with the former used to drop WannaCry onto the compromised computers of at least two victims. AlphaNC is believed to be an evolution of Duuzer, a sub-family of the Destover wiping tool used in the Sony attacks.

These attacks hit organizations spanning a range of sectors and geographies, but Symantec found evidence of the tools used in the February attacks on the computers compromised in March and April as well.

The BravoNC Trojan was used to deliver WannaCry to the computers of at least two other victims, the security researchers say. The malware connects to a C&C server hosted at the same IP address as the IP address used by Destover and Duuzer samples, and which was also referred to in a Blue Coat report last year.
Information<https://www.securityweek.com/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says>
<https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc>

Last change to this tool card: 23 April 2020

Download this tool card in JSON format

Previous: RomeoAlfa
Next: RomeoCharlie

All groups using tool RomeoBravo

ChangedNameCountryObserved

APT groups

 Lazarus Group, Hidden Cobra, Labyrinth ChollimaNorth Korea2007-Dec 2020 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key