Russian RomCom Assaults Goal Ukrainian Authorities with New SingleCamper RAT Variant

Oct 17, 2024Ravie LakshmananRisk Intelligence / Malware

The Russian menace actor often called RomCom has been linked to a brand new wave of cyber assaults aimed toward Ukrainian authorities companies and unknown Polish entities since not less than late 2023.

The intrusions are characterised by way of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0), mentioned Cisco Talos, which is monitoring the exercise cluster beneath the moniker UAT-5647.

“This model is loaded instantly from the registry into reminiscence and makes use of a loopback tackle to speak with its loader,” safety researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura noted.

RomCom, additionally tracked as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in multi-motivational operations resembling ransomware, extortion, and focused credential gathering since its emergence in 2022.

It has been assessed that the operational tempo of their assaults has elevated in latest months with an goal to arrange long-term persistence on compromised networks and exfiltrate knowledge, suggesting a transparent espionage agenda.

To that finish, the menace actor is alleged to be “aggressively increasing their tooling and infrastructure to assist all kinds of malware elements authored in numerous languages and platforms” resembling C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).

The assault chains begin with a spear-phishing message that delivers a downloader — both coded in C++ (MeltingClaw) or Rust (RustyClaw) — which serves to deploy the ShadyHammock and DustyHammock backdoors, respectively. In parallel, a decoy doc is exhibited to the recipient to take care of the ruse.

Whereas DustyHammock is engineered to contact a command-and-control (C2) server, run arbitrary instructions, and obtain recordsdata from the server, ShadyHammock acts as a launchpad for SingleCamper in addition to listening for incoming instructions.

Regardless of’s ShadyHammock extra options, it is believed that it is a predecessor to DustyHammock, given the truth that the latter was noticed in assaults as not too long ago as September 2024.

SingleCamper, the most recent model of RomCom RAT, is accountable for a variety of post-compromise actions, which entail downloading the PuTTY’s Plink software to determine distant tunnels with adversary-controlled infrastructure, community reconnaissance, lateral motion, person and system discovery, and knowledge exfiltration.

“This particular collection of assaults, concentrating on excessive profile Ukrainian entities, is probably going meant to serve UAT-5647’s two-pronged technique in a staged method – set up long-term entry and exfiltrate knowledge for so long as attainable to assist espionage motives, after which probably pivot to ransomware deployment to disrupt and certain financially achieve from the compromise,” the researchers mentioned.

“Additionally it is seemingly that Polish entities have been additionally focused, primarily based on the keyboard language checks carried out by the malware.”