Ukrainian Government Targeted With Russian RomCom Attacks
As per recent media reports, Ukrainian government agencies have experienced a new wave of Russian RomCom attacks. The threat actor behind the attacks uses a remote access trojan (RAT) for malicious initiatives like extortion and acquiring credentials. In this article, we dive into the attack and uncover different methods used for such purposes. Let’s begin!
RomCom Attacks On Government Agencies
These RomCom attacks are being monitored by Cisco Talos under the moniker UAT-5647 activity clusters. Reports claim that RomCom, a Russian threat actor, relies on using the SingleCamper RAT for the initiatives. The RAT is also referred to as SnipBot or RomCom 5.0.
Commenting on the new wave of UAT-5647 espionage activities, cybersecurity experts Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura have stated that:
“This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader”
RomCom Threat Actor Activities
Before we dive into further details, it’s worth noting that the RomCom attacks hacker is also referred to as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu. Activities pertaining to this threat actor have increased in recent months. During the RomCom attacks a key objective is to develop long-term persistence and extract data.
In addition, the threat actor is also believed to be expanding its attack infrastructure with various malware components developed using different programming languages. These programming languages and attack components include:
Programming Language | Attack Component |
C++ | ShadyHammock, MeltingClaw |
Rust | DustyHammock, Rusty Claw |
Go | GLUEEGG |
Lua | DROPCLUE |
SingleCamper Malware Attack Chain
The RomCom attacks hacker uses spear-phishing messages containing a downloader that’s coded in C++ or Rust. This downloader is used to deploy the ShadyHammock and DustyHammock backdoor.
The DustyHammock downloader is used for contacting the command-and-control (C2) server, executing arbitrary commands, and downloading files from the server. ShadyHammock, on the other hand, launches the SingleCamper RAT which then initiates multiple malicious activities that include:
- 데이터 유출.
- Lateral movement.
- Network reconnaissance.
- User and system discovery.
- Downloading PuTTY’s Plink tool for establishing remote tunnels.
Commenting on these attack tactics, cybersecurity experts have stated:
“This specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647’s two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise.”
결론
The RomCom attacks on Ukrainian government agencies highlight the growing sophistication of Russian cyber-espionage tactics. By leveraging the SingleCamper RAT and various malware components, the threat actors aim to establish long-term persistence, exfiltrate sensitive data, and potentially deploy ransomware for financial gain.
Given the advancements in technology, cyberattacks today are increasingly complex. Such a threat landscape now dictates the use of robust cybersecurity measures that can reduce risk and help improve security posture.
The sources for this piece include articles in The Hacker News and BackBox.