By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura.
Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. UAT-5647 is also known as RomCom and is widely attributed to Russian speaking threat actors in open-source reporting. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper”. This version is loaded directly from registry into memory and uses loopback address to communicate with its loader.UAT-5647 has also evolved their tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw; a RUST-based backdoor we call DustyHammock; and a C++ based backdoor we call ShadyHammock.During its lateral movement, the threat actor attempted to compromise edge devices by tunneling internal interfaces to external, remote hosts controlled by UAT-5647. If successful, it would have higher chances of evading detection during the incident response process.UAT-5647 has long been considered a multi-motivational threat actor performing both ransomware and espionage-oriented attacks. However, UAT-5647 has accelerated their attacks in recent months with a clear focus on establishing long–term access for exfiltrating data of strategic interest to them. Our assessment, in line with recent reporting from CERT-UA and Palo Alto Networks, indicates that the threat actor is aggressively expanding their tooling and infrastructure to support a wide variety of malware componen ..
Support the originator by clicking the read the rest link below.
