The Russian danger actor referred to as RomCom has been related to a brand new wave of cyber assaults geared toward Ukrainian executive companies and unknown Polish entities since a minimum of overdue 2023.
The intrusions are characterised by means of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), mentioned Cisco Talos, which is tracking the process cluster beneath the moniker UAT-5647.
“This model is loaded immediately from the registry into reminiscence and makes use of a loopback deal with to keep up a correspondence with its loader,” safety researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura famous.
RomCom, additionally tracked as Typhoon-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations similar to ransomware, extortion, and centered credential amassing since its emergence in 2022.
It is been assessed that the operational pace in their assaults has larger in fresh months with an goal to arrange long-term endurance on compromised networks and exfiltrate knowledge, suggesting a transparent espionage schedule.
To that finish, the danger actor is alleged to be “aggressively increasing their tooling and infrastructure to reinforce all kinds of malware elements authored in various languages and platforms” similar to C++ (ShadyHammock), Rust (DustyHammock), Pass (GLUEEGG), and Lua (DROPCLUE).
The assault chains get started with a spear-phishing message that delivers a downloader — both coded in C++ (MeltingClaw) or Rust (RustyClaw) — which serves to deploy the ShadyHammock and DustyHammock backdoors, respectively. In parallel, a decoy record is exhibited to the recipient to deal with the ruse.
Whilst DustyHammock is engineered to touch a command-and-control (C2) server, run arbitrary instructions, and obtain recordsdata from the server, ShadyHammock acts as a launchpad for SingleCamper in addition to listening for incoming instructions.
In spite of’s ShadyHammock further options, it is believed that it is a predecessor to DustyHammock, given the truth that the latter was once seen in assaults as not too long ago as September 2024.
SingleCamper, the newest model of RomCom RAT, is accountable for a variety of post-compromise actions, which entail downloading the PuTTY’s Plink instrument to ascertain far flung tunnels with adversary-controlled infrastructure, community reconnaissance, lateral motion, person and device discovery, and information exfiltration.
“This particular collection of assaults, concentrated on top profile Ukrainian entities, is most probably supposed to serve UAT-5647’s two-pronged technique in a staged method – identify long-term get admission to and exfiltrate knowledge for so long as conceivable to reinforce espionage motives, after which probably pivot to ransomware deployment to disrupt and most probably financially achieve from the compromise,” the researchers mentioned.
“It’s also most probably that Polish entities have been additionally centered, in keeping with the keyboard language tests carried out by means of the malware.”