Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Russia-linked RomCom group targeted Ukrainian government agencies since late 2023

Russia-linked threat actor RomCom targeted Ukrainian government agencies and Polish entities in cyber attacks since late 2023. Cisco Talos researchers observed Russia-linked threat actor RomCom (aka UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596) targeting Ukrainian government agencies and Polish entities in a new wave of attacks since at least late 2023.  In the recent attacks, RomCom […]

RomCom

Russia-linked threat actor RomCom targeted Ukrainian government agencies and Polish entities in cyber attacks since late 2023.

Cisco Talos researchers observed Russia-linked threat actor RomCom (aka UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596) targeting Ukrainian government agencies and Polish entities in a new wave of attacks since at least late 2023. 

In the recent attacks, RomCom deployed an updated variant of the RomCom RAT dubbed ‘SingleCamper.’ SingleCamper is loaded directly from registry into memory and relies on a loopback address to communicate with its loader. The threat actors also employed two new downloaders, called RustClaw and MeltingClaw, plus two backdoors, DustyHammock (Rust-based) and C++-based ShadyHammock.

In the past, RomCom launched ransomware attacks and cyber espionage campaigns, however, it is ramping up attacks focused on data exfiltration from Ukrainian targets. The group uses multiple tools and malware languages (GoLang, C++, RUST, LUA) to establish long-term access for espionage, possibly followed by ransomware deployment for disruption and profit. Polish entities were likely targeted as well, based on malware language checks.

“The infection chain consists of a spear-phishing message delivering a downloader consisting of either of two variants: “RustyClaw” – a RUST-based downloader, and a C++ based variant we track as “MeltingClaw”.” reads the report published by Talos. “The downloaders make way for and establish persistence for two distinct backdoors we call “DustyHammock” and “ShadyHammock,” respectively.”

DustyHammock operates as the main backdoor for C2 communications, while ShadyHammock loads the SingleCamper malware and can receive commands from other malicious components.

RomCom

Once the initial network reconnaissance is completer, RomCom used PuTTY’s Plink tool to create remote tunnels connecting targeted endpoints with attacker-controlled servers.

SingleCamper malware registers infections by sending system info to C2, executes recon commands, and can download additional tools, exfiltrate files, or manage infections.

The report includes details about RomCom’s arsenal, Talos also shared IOCs for this threat.  

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RomCom)