The Russian menace actor generally known as RomCom has been linked to a brand new wave of cyber assaults aimed toward Ukrainian authorities companies and unknown Polish entities since at the least late 2023.
The intrusions are characterised by means of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), stated Cisco Talos, which is monitoring the exercise cluster below the moniker UAT-5647.
“This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader,” safety researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura famous.
RomCom, additionally tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations reminiscent of ransomware, extortion, and focused credential gathering since its emergence in 2022.
It has been assessed that the operational tempo of their assaults has elevated in current months with an goal to arrange long-term persistence on compromised networks and exfiltrate information, suggesting a transparent espionage agenda.
To that finish, the menace actor is alleged to be “aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms” reminiscent of C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).
The assault chains begin with a spear-phishing message that delivers a downloader — both coded in C++ (MeltingClaw) or Rust (RustyClaw) — which serves to deploy the ShadyHammock and DustyHammock backdoors, respectively. In parallel, a decoy doc is exhibited to the recipient to take care of the ruse.
Whereas DustyHammock is engineered to contact a command-and-control (C2) server, run arbitrary instructions, and obtain information from the server, ShadyHammock acts as a launchpad for SingleCamper in addition to listening for incoming instructions.
Regardless of’s ShadyHammock further options, it is believed that it is a predecessor to DustyHammock, given the truth that the latter was noticed in assaults as just lately as September 2024.
SingleCamper, the most recent model of RomCom RAT, is accountable for a variety of post-compromise actions, which entail downloading the PuTTY’s Plink device to ascertain distant tunnels with adversary-controlled infrastructure, community reconnaissance, lateral motion, person and system discovery, and information exfiltration.
“This specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647’s two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise,” the researchers stated.
“It is also likely that Polish entities were also targeted, based on the keyboard language checks performed by the malware.”