Cyber Threat Actor RomCom Linked to New Wave of Attacks Targeting Ukrainian Government and Polish Entities – Analysis and Insights
Russian Threat Actor RomCom Linked to Cyber Attacks on Ukrainian and Polish Entities
In a concerning development, the Russian threat actor known as RomCom has been identified as the mastermind behind a recent wave of cyber attacks targeting Ukrainian government agencies and unknown Polish entities. The attacks, which have been ongoing since late 2023, involve the use of a newly discovered variant of the RomCom Remote Access Trojan (RAT) known as SingleCamper.
According to security researchers at Cisco Talos, who are monitoring the activity under the codename UAT-5647, the SingleCamper RAT is unique in its ability to load directly from the registry into memory and utilize a loopback address for communication with its loader. This sophisticated technique allows the threat actor to remain undetected while carrying out malicious activities.
The RomCom threat actor, known by various aliases such as Storm-0978, Tropical Scorpius, and UNC2596, has a history of engaging in multiple types of cyber operations, including ransomware, extortion, and targeted credential gathering. Recent assessments suggest that the group has ramped up its attacks with the goal of establishing long-term access to compromised networks and exfiltrating sensitive data for espionage purposes.
The attack chains orchestrated by RomCom typically begin with a spear-phishing email containing a malicious downloader coded in languages such as C++ and Rust. These downloaders serve as a gateway for deploying backdoors like ShadyHammock and DustyHammock, which in turn pave the way for the deployment of the SingleCamper RAT.
The researchers warn that the attacks targeting Ukrainian entities are part of a larger espionage campaign aimed at maintaining long-term access and stealing sensitive information. Additionally, they suspect that Polish entities may also have been targeted based on analysis of the malware’s behavior.
The discovery of the SingleCamper RAT variant underscores the evolving tactics and capabilities of threat actors like RomCom, highlighting the need for increased vigilance and cybersecurity measures to protect against such sophisticated attacks.