
A new RomCom malware variant has been attacking targets in Ukraine and Poland. Behind it is a Russian-speaking actor with multiple motivations, including both ransomware and espionage, researchers at Cisco Talos warn.
The threat actor was labeled UAT-5647. It has accelerated its attacks in recent months.
Its main objective seems to be establishing long-term access for exfiltrating data of strategic interest.
“The threat actor is aggressively expanding its tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms,” the new report reads.
In the initial stage after gaining access, UAT-5647 exfiltrates data for as long as possible to support espionage motives. Subsequently, the threat actor pivots to ransomware deployment, aiming to disrupt systems and likely to generate financial gains.
UAT-5647 relies on spear-phishing messages to deliver two variants of downloaders, exploiting two distinct backdoors. Before proceeding, one of the downloaders checks the keyboard layout for Polish, Ukrainian, or Russian-speaking users.
The gang stands out in its post-compromise activity, as it started targeting edge devices from inside the compromised networks.
“The threat actors were particularly interested in network reconnaissance,” the researchers noted.
The toolset allows attackers to execute commands, download additional payloads, and communicate with command and control servers.
The final payload is the RomCom variant dubbed ‘SingleCamper,’ which carries all of the malicious post-compromise activities.
“This version is loaded directly from the registry into memory and uses loopback address to communicate with its loader,” researchers noted.
Palo Alto recently also reported on this malware variant, which it alternatively calls SnipBot.
CERT-UA previously shared some tactics cybercriminals use. They send emails with ZIP attachments containing PDF documents, prompting them to ‘download missing fonts.’ Clicking the link downloads the file ‘adobe_acrobat_fonts_pack.exe,’ which then starts the infection chain.
While some infrastructure used by attackers overlap in the different reports, the latest Talos findings reveal that hackers rotate domains, IP addresses, builds, and others.
Your email address will not be published. Required fields are markedmarked