The cybersecurity realm has been abuzz with reports of a new wave of cyber attacks targeting Ukrainian government agencies and undisclosed Polish entities since late 2023. These attacks have been linked to the notorious Russian threat actor known as RomCom, who has been using a variant of the RomCom RAT called SingleCamper to carry out the intrusions. This variant, also known as SnipBot or RomCom 5.0, has unique features, as noted by security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura.
RomCom, renowned by aliases such as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a history of engaging in diverse cyber operations, including ransomware, extortion, and targeted credential theft. Recent assessments indicate an escalation in the group’s attack frequency, showcasing a clear shift towards espionage objectives with a focus on extended network compromise and sensitive data exfiltration.
The threat actor’s expanding toolset encompasses a wide range of malware components crafted in various programming languages like C++, Rust, Go, and Lua. These components play a crucial role in the attack chain orchestrated by RomCom, wherein spear-phishing emails deliver downloaders that subsequently deploy backdoors like ShadyHammock and DustyHammock on compromised systems.
SingleCamper, the latest iteration of RomCom RAT, is instrumental in executing post-compromise activities, including establishing remote connections with malicious infrastructure, network reconnaissance, lateral movement across networks, data exfiltration, among others. These attacks seem to follow a dual strategy of long-term data theft for espionage purposes, followed by potential deployment of ransomware to disrupt operations and gain financial benefits.
The ongoing cyber offensive targeting Ukrainian and potentially Polish entities underscores the evolving threat landscape and the critical need for robust cybersecurity measures. As the cybersecurity community grapples with these emerging challenges, stay tuned for further updates on this developing story.