New Cyber Attacks RomCom Unleashes RAT Variant

A recent wave of cyberattacks has targeted Ukrainian government agencies and select Polish entities, with the Russian-based threat actor known as RomCom behind the operations.

These attacks, ongoing since late 2023, feature a new variant of the RomCom remote access trojan (RAT), called SingleCamper (also known as SnipBot or RomCom 5.0), according to a report monitoring the activity under the name UAT-5647.

This latest version of SingleCamper is notable for its ability to load directly from the registry into memory, using a loopback address for communication with its loader.

The RomCom group, which first emerged in 2022, has engaged in a range of malicious activities, including ransomware, credential theft, and extortion. Recently, the group’s operations have accelerated, focusing on long-term access to compromised networks for data exfiltration, signaling a clear espionage objective.

The attackers are rapidly expanding their infrastructure and malware arsenal, developing components in various programming languages like C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).

Their attack chain typically begins with spear-phishing emails that deliver a downloader, written in C++ (MeltingClaw) or Rust (RustyClaw), which then deploys the backdoors ShadyHammock or DustyHammock.

These attacks deceive the victim by presenting a decoy document while the malware initiates communication with a command-and-control server, enabling remote commands and file downloads.

The ultimate goal of these attacks appears to be twofold: to establish long-term access for espionage and data exfiltration, and possibly to pivot to ransomware deployment for financial gain.

While Ukrainian entities are the primary targets, evidence suggests that Polish organizations may also have been targeted, based on language checks performed by the malware.

In parallel, the CERT-UA has reported cyber theft attacks by another threat actor, UAC-0050. This group has been attempting to steal funds and sensitive information from Ukrainian enterprises using malware families like Remcos RAT, SectopRAT, and Meduza Stealer.

Between September and October 2024, UAC-0050 made at least 30 attempts to steal significant sums through fraudulent banking transactions, targeting accountants by exploiting remote control tools like Remcos.

To protect against such sophisticated cyber threats, organizations should strengthen their cybersecurity defenses through regular updates and implement multi-factor authentication. Network segmentation, monitoring for abnormal behavior, and employing endpoint detection and response (EDR) tools are also crucial steps in preventing long-term network infiltration and data theft.