A known Russian threat actor by the name of RomCom has been implicated in a recent surge of cyber attacks targeting Ukrainian governmental bodies as well as unidentified Polish organizations since late 2023.
The attacks are marked by the deployment of a variant of the RomCom RAT, referred to as SingleCamper (also known as SnipBot or RomCom 5.0), as reported by Cisco Talos, which is observing this activity cluster under the designation UAT-5647.
According to security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura, this variant is loaded directly from the registry into memory and communicates with its loader using a loopback address.
RomCom, which is also tracked under various monikers including Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has been involved in various operations ranging from ransomware to extortion and targeted credential collection since its debut in 2022.
Reports suggest that the frequency of their attacks has escalated over recent months, aiming to establish a lasting presence within compromised networks and to extract sensitive data, thus indicating an evident espionage agenda.
In pursuit of this goal, it is claimed that the threat actor is rapidly enhancing their tools and infrastructure to support a diverse range of malware components crafted in various programming languages and platforms, including C++ (ShadyHammock), Rust (DustyHammock), Go, and Lua.
The attack sequences begin with a spear-phishing email that includes a downloader—either created using C++ or Rust—that downloads the backdoors ShadyHammock and DustyHammock, respectively. Simultaneously, a decoy document appears to the recipient, maintaining the deception.
DustyHammock is designed to reach out to a command-and-control (C2) server for running arbitrary commands and downloading files, while ShadyHammock serves as a starting point for SingleCamper and waits for incoming commands.
Despite ShadyHammock containing additional features, it is believed to precede DustyHammock, especially as the latter has been detected in attacks as recently as September 2024.
SingleCamper, the most recent iteration of RomCom RAT, plays a significant role in a variety of post-compromise actions, including downloading the Plink tool from PuTTY to create remote tunnels to adversarial-controlled infrastructure, facilitating network reconnaissance, enabling lateral movement, discovering users and systems, and carrying out data exfiltration.
This specific series of attacks against prominent Ukrainian targets appears to align with the strategic objectives of UAT-5647 in a staged approach: achieving long-term access and extracting data for as extended a period as possible to fulfill espionage purposes, and then possibly shifting to deploy ransomware to disrupt and financially capitalize on the breaches.
Additionally, it is plausible that Polish organizations were also targeted as indicated by keyboard language checks conducted by the malware.
Interested in this article? Connect with us on Twitter and LinkedIn to access more exclusive content we share.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.