Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
The group's new arsenal weaves a network of cyber espionage in Eastern Europe.
Cisco Talos specialists have identified a new wave of attacks by the UAT-5647 (RomCom) group, which has been targeting Ukrainian government agencies and unnamed Polish organizations since the end of 2023.
The latest campaign includes an updated version of the RomCom malware called SingleCamper. The program is loaded directly from the registry into RAM and uses the Loopback Address to communicate with the bootloader. The toolkit of the UAT-5647 group has expanded significantly and includes four malware families: two loaders and two backdoors.
Hackers actively use methods to penetrate edge devices, redirecting traffic from internal interfaces to remote servers, which complicates the process of detecting threats during incident response. In attacks, UAT-5647 aims to provide long-term access to targeted systems to steal data, and then may move on to using ransomware for financial gain.
Attack tactics and techniques
The main infection method is phishing messages containing RustClaw or MeltingClaw loaders, which enable the installation of the DustyHammock (Rust) and ShadyHammock (C++) backdoors. DustyHammock executes commands from the command center, while ShadyHammock activates malicious components and can receive commands through local interfaces.
After penetrating the network, attackers conduct reconnaissance, using tools such as PuTTY Plink to create tunnels between internal interfaces and external servers. Such tactics allow hackers to evade detection and gain access to sensitive information and settings of network devices, such as TP-LINK routers.
The team makes extensive use of port scans and commands to analyze system information and network connections. On the target devices, commands are run to identify open ports and resources, such as "net view" and "ping," allowing access to shared folders and important information.
In-depth malware analysis
In the new attack chain, UAT-5647 relies on the use of various programming languages, including GoLang, C++, Rust, and LUA, to create multifunctional malicious components. The malware is designed to collect data, download additional files, and activate PuTTY Plink for further spread across the network.
Among the features is SingleCamper's ability to send commands to its ShadyHammock loader via a local interface, allowing it to remotely control the infected system and execute system-level commands without interacting with external servers.
The UAT-5647 attacks continue, and Talos analysts predict that the group will intensify activities in order to gain long-term access and steal data, while continuing to use ransomware to destabilize infrastructure and generate profits.
Source
Cisco Talos specialists have identified a new wave of attacks by the UAT-5647 (RomCom) group, which has been targeting Ukrainian government agencies and unnamed Polish organizations since the end of 2023.
The latest campaign includes an updated version of the RomCom malware called SingleCamper. The program is loaded directly from the registry into RAM and uses the Loopback Address to communicate with the bootloader. The toolkit of the UAT-5647 group has expanded significantly and includes four malware families: two loaders and two backdoors.
Hackers actively use methods to penetrate edge devices, redirecting traffic from internal interfaces to remote servers, which complicates the process of detecting threats during incident response. In attacks, UAT-5647 aims to provide long-term access to targeted systems to steal data, and then may move on to using ransomware for financial gain.
Attack tactics and techniques
The main infection method is phishing messages containing RustClaw or MeltingClaw loaders, which enable the installation of the DustyHammock (Rust) and ShadyHammock (C++) backdoors. DustyHammock executes commands from the command center, while ShadyHammock activates malicious components and can receive commands through local interfaces.
After penetrating the network, attackers conduct reconnaissance, using tools such as PuTTY Plink to create tunnels between internal interfaces and external servers. Such tactics allow hackers to evade detection and gain access to sensitive information and settings of network devices, such as TP-LINK routers.
The team makes extensive use of port scans and commands to analyze system information and network connections. On the target devices, commands are run to identify open ports and resources, such as "net view" and "ping," allowing access to shared folders and important information.
In-depth malware analysis
In the new attack chain, UAT-5647 relies on the use of various programming languages, including GoLang, C++, Rust, and LUA, to create multifunctional malicious components. The malware is designed to collect data, download additional files, and activate PuTTY Plink for further spread across the network.
Among the features is SingleCamper's ability to send commands to its ShadyHammock loader via a local interface, allowing it to remotely control the infected system and execute system-level commands without interacting with external servers.
The UAT-5647 attacks continue, and Talos analysts predict that the group will intensify activities in order to gain long-term access and steal data, while continuing to use ransomware to destabilize infrastructure and generate profits.
Source
