Russian Cyber Actor RomCom Targets Ukrainian Government with New SingleCamper RAT Variant
October 17, 2024
Threat Intelligence / Malware
A recent wave of cyber attacks has been linked to the Russian threat actor known as RomCom, specifically targeting Ukrainian government agencies and undisclosed Polish entities since late 2023. This escalation in malicious activity has been characterized by the deployment of a new variant of the RomCom Remote Access Trojan (RAT), referred to as SingleCamper, also known colloquially as SnipBot or RomCom 5.0. Cisco Talos, which is closely monitoring this activity cluster under the designation UAT-5647, has provided insights into the operational techniques employed in these intrusions.
According to security researchers Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura, this latest version of the malware operates by loading directly from the Windows registry into the system’s memory. It employs a loopback address to facilitate communications with its loader, thereby enhancing its stealth and efficacy. This method of operation underscores the sophistication of RomCom’s tactics and highlights its adaptability in avoiding detection.
Since its emergence in 2022, RomCom, which is also tracked under various aliases including Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has engaged in a range of multi-motivational operations. Activities have included ransomware deployments, extortion schemes, and targeted credential gathering. Recent assessments have indicated a heightened operational tempo, suggesting an intent to establish long-term persistent access to compromised systems.
The primary targets of these attacks reside in Ukraine, a nation currently facing increased geopolitical tensions that further expose its governmental cybersecurity infrastructure to threats from state-sponsored actors. While the cyber landscape is inherently complex, the techniques utilized by RomCom align with various adversary tactics identified in the MITRE ATT&CK framework. These include initial access through exploitation of vulnerabilities, persistence via registry manipulation, and potential privilege escalation to gain expanded access rights within targeted systems.
As cybersecurity risks evolve, businesses, particularly those operating in or with entities in high-risk regions, must remain vigilant. Understanding the tactics employed by groups like RomCom can assist organizations in fortifying their defenses against such sophisticated cyber threats. By maintaining awareness of potential vulnerabilities and implementing comprehensive security measures, business owners can work to mitigate the risks posed by evolving cyber adversaries.
Overall, the emergence of the SingleCamper variant marks a significant development in the ongoing cyber conflicts in the region, with implications that stretch beyond immediate targets to broader issues of cybersecurity resilience and response among nations caught in the crosshairs of digital warfare.
