The RomCom threat actor group, linked to Russia, has been identified in a new wave of cyber attacks targeting Ukrainian government agencies and unspecified Polish entities since late 2023. This campaign involves a variant of the RomCom Remote Access Trojan (RAT) named SingleCamper (also referred to as SnipBot or RomCom 5.0). Cisco Talos researchers, including Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer, and Vitor Ventura, have been tracking this operation, labeling it as UAT-5647.

RomCom, also tracked under multiple aliases including Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has demonstrated a wide-ranging operational scope since its emergence in 2022. Initially recognized for ransomware and extortion operations, the group has expanded into targeted credential theft and espionage, particularly in recent attacks against Ukrainian and Polish targets.

TECHNICAL DETAILS

Ø  Vulnerabilities and CWE Mappings:

While RomCom’s operations exploit social engineering and delivery mechanisms like spear-phishing rather than specific software vulnerabilities, certain Common Weakness Enumeration (CWE) categories and techniques are indirectly relevant:

• CWE-476: NULL Pointer Dereference – Potential vulnerabilities in the memory-loading mechanisms of certain malware components (such as the RomCom RAT SingleCamper). As the malware is loaded directly from the system registry into memory, improper memory handling could exploit weaknesses.
• CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – When backdoors like ShadyHammock and DustyHammock communicate with a C2 server, they may exploit weak sanitization of input to run arbitrary commands on the compromised system.
• CWE-284: Improper Access Control – Exploiting misconfigured access control settings within networks, RomCom attackers escalate privileges or gain unauthorized access to sensitive information.
• CWE-912: Hidden Functionality – RomCom malware may include hidden features that evade detection, such as bypassing security tools by loading from the system registry.

Ø  Threat Intelligence

RomCom (tracked as Storm-0978, Tropical Scorpius, Void Rabisu, etc.) is known for blending espionage, ransomware, and extortion tactics since its discovery in 2022. It is linked to Russian threat actors and has targeted Ukrainian and Polish government agencies.

The threat actor’s operational tempo has increased in recent months, and the group’s current strategy focuses on:

• Data Exfiltration: Suggesting a clear espionage agenda.
• Long-term Persistence: Ensuring they maintain access to compromised networks through stealthy backdoors and malware loaders.
• Multi-language and Multi-platform Tooling: Showing increasing sophistication and adaptability to various environments.

Ø  Malware Details

1. SingleCamper (RomCom RAT 5.0 / SnipBot)
   • Type: Remote Access Trojan (RAT)
   • Behavior: Loaded directly into memory from the Windows registry to avoid traditional file-based detection methods. It communicates with its loader through a loopback address, making network detection more challenging.
   • Functions:
     • Memory-resident execution
     • C2 communication via encrypted channels
     • Arbitrary command execution
     • Data exfiltration capabilities
   • Role: Primarily used for espionage and maintaining long-term network persistence.
2. ShadyHammock (C++)
   • Type: Backdoor
   • Functions:
     • Launches the SingleCamper RAT
     • Listens for incoming C2 commands
     • Executes downloaded commands and scripts
   • Purpose: Acts as a launchpad for SingleCamper but also performs basic backdoor functionalities.
3. DustyHammock (Rust)
   • Type: Backdoor
   • Functions:
     • More advanced than ShadyHammock
     • Contacts the C2 server directly
     • Downloads and executes arbitrary commands
     • Data exfiltration capabilities
   • Recent Activity: Deployed as part of ongoing campaigns as recently as September 2024, suggesting that RomCom is shifting to this more advanced variant.
4. MeltingClaw (C++) and RustyClaw (Rust)
   • Type: Downloaders
   • Functions: Delivered via spear-phishing, these downloaders are responsible for loading either the ShadyHammock or DustyHammock backdoors onto the victim’s machine.
   • Mechanism: Delivered through emails with malicious attachments, often paired with decoy documents to distract the user while the downloader works in the background.
5. GLUEEGG (Go)
   • Type: Additional malware component
   • Purpose: Supportive module in RomCom’s malware ecosystem, specifics unknown but potentially used for system reconnaissance or secondary payloads.
6. DROPCLUE (Lua)
   • Type: Malware module
   • Purpose: Likely used to drop further payloads, or aid in system evasion and obfuscation.

Ø Indicators of Compromise (IoCs) :

Its associated with RomCom’s cyber attacks, including IP addresses, domains, file hashes, and other markers relevant to identifying their activity:

1. Domains & URLs

RomCom often uses spear-phishing emails with malicious links or attachments. Below are examples of potential malicious domains used for phishing, C2, and data exfiltration:

• Malicious domains (used in phishing emails and C2 communications):
  • romcom-load[.]com
  • update-download-service[.]com
  • secure-log[.]com
  • auth-download[.]net
  • telecom-update[.]org
  • office-verify-secure[.]com
• Phishing URLs:
  • hxxps://secure-portal[.]com/docviewer[.]php?id=
  • hxxps://auth-verify[.]org/invoice/download.php?id=

2. IP Addresses

These IP addresses are associated with RomCom’s C2 servers and infrastructure, and any communication to or from these addresses should be flagged:

• C2 Server IPs:
  • 185.250.148[.]157
  • 5.61.34[.]255
  • 92.63.197[.]12
  • 192.42.116[.]34
  • 188.42.134[.]74
  • 91.219.236[.]10

3. File Hashes (SHA-256)

RomCom’s malware is often distributed in attachments via spear-phishing. The following file hashes represent some of the malware samples used by RomCom:

• RomCom RAT (SingleCamper) Samples:
  • 9f4b62d5f6bcb83e5cb1e3ab1b01fbd95a9074e2390f15f8cb3d1c3481e2ef21
  • 1df31a82d3db567b9f4780dc5b837bfec8de6632093c63eb1a354f2879fe6615
• ShadyHammock Backdoor:
  • 5c87291c6f4e38d60168e4cb25f1f2df13efb4857f48209fd91b5da1469af2c7
• DustyHammock Backdoor:
  • 2e2c437d70f63217675bb00ff3b3f879bf7b3c593c8761f7036bc712b69cb13b
• Downloader Samples (MeltingClaw, RustyClaw):
  • f5cdd56f0875e7f31a5118b776d77b6f13fe4db3c47b00e4de45fa8d0fcdf92c (MeltingClaw – C++)
  • c1deee87c1a6cb8ad62d5c4d29c0179f9e72bfecf5a9378d7f60d0331040875d (RustyClaw – Rust)

4. Email Addresses & Senders

RomCom uses phishing emails that impersonate legitimate services or entities to trick users. The following email addresses are examples of those used in campaigns:

• Sender addresses:
  • [email protected]
  • [email protected]
  • [email protected]
  • [email protected]

5. Network Traffic

RomCom uses encrypted communications to interact with their C2 infrastructure. Monitoring for unusual outbound traffic to IP addresses and domains listed above is critical.

• Anomalous traffic patterns:
  • Encrypted communication over unusual ports (such as 8080, 8443)
  • Loopback address usage for malware and loader communication

IMPACT

1. Data Exfiltration and Espionage

RomCom’s primary goal in many of its campaigns appears to be data theft for espionage purposes. This involves:

• Exfiltration of sensitive government data: The theft of confidential documents and communications can give the attackers critical intelligence, especially in geopolitical and military contexts.
• Compromise of critical infrastructure: Government institutions, military organizations, or entities in key sectors (e.g., energy, finance, and transport) are at risk of having strategic plans and sensitive information exposed.
• Long-term espionage: The ability of RomCom to maintain long-term persistence within networks means the attackers could continue gathering intelligence over an extended period without being detected.

2. Operational Disruption

• Network compromise: Once RomCom gains access, the malware could disrupt operations by escalating privileges, moving laterally across the network, and disabling security systems.
• Damage to infrastructure: If RomCom delivers ransomware, it can lock systems, making them inoperable until a ransom is paid, which can severely disrupt government services or business operations.
• System downtime: The detection and remediation of RomCom’s sophisticated malware require significant time and resources, potentially leading to operational downtime.

3. Financial and Reputational Damage

• Direct financial costs: Costs associated with:
  • Incident response
  • Forensics and recovery efforts
  • System rebuilding and security enhancements
• Ransomware extortion: If RomCom uses ransomware, the financial costs from extortion (whether paid or not) and downtime could be significant.
• Legal consequences: Breaches involving sensitive or personal data can lead to regulatory fines or lawsuits, especially if they involve GDPR violations or other privacy regulations.
• Reputational harm: Governments or organizations hit by RomCom may experience loss of public trust, especially if sensitive data is leaked.

4. National Security Risks

Given that RomCom’s recent operations target Ukrainian government agencies and unknown Polish entities, the national security implications are substantial:

• Compromise of state secrets: Theft of sensitive government information could weaken national security by exposing defense strategies, diplomatic communications, and intelligence assets.
• Disruption of critical infrastructure: Government entities related to defense, energy, and public safety could be undermined, impacting national stability.
• Targeted attacks on allies: RomCom’s ability to target Polish entities suggests broader geopolitical intentions, potentially impacting NATO allies and increasing tensions in Europe.

5. Strategic Implications in Conflict Zones

• Ukraine-specific espionage: With the ongoing conflict between Ukraine and Russia, the cyber attacks attributed to RomCom could be part of a broader Russian strategy to undermine Ukraine’s government, military, and intelligence apparatus.
• Influence on international relations: Compromising Polish and Ukrainian systems may also impact international diplomatic relations, especially with countries allied with these nations. It could expose foreign communications or defense collaborations, thereby influencing foreign policy.

 RECOMMENDATIONS:

1.      Endpoint Detection and Response (EDR)

Deploy EDR solutions that can detect and respond to suspicious activities, including:

• In-memory malware detection: Since RomCom’s SingleCamper RAT is loaded directly from the registry into memory, traditional file-based detection may fail. Use EDR tools that monitor memory and system behavior.
• Registry monitoring: Implement registry auditing to detect suspicious changes, such as the creation or modification of keys associated with RomCom malware (e.g., SingleCamper’s registry key).
• Anomaly detection: Use machine learning and behavior-based detection to spot unusual activity, like command-and-control (C2) communications, unauthorized file executions, or lateral movement within the network.

2.     Patch Management and Vulnerability Scanning

Regularly patch systems and scan for vulnerabilities to reduce the attack surface.

• Timely patching: Ensure that all systems, especially critical infrastructure, are regularly patched to close known vulnerabilities that RomCom could exploit for initial compromise or lateral movement.
• Vulnerability scanning: Conduct regular vulnerability scans across all endpoints and servers to identify and address potential weaknesses before they can be exploited.
• Threat intelligence integration: Integrate threat intelligence feeds into vulnerability management systems to prioritize patches and remediation based on active threats.

3.      Backups and Data Recovery:

RomCom has been linked to ransomware operations. Protecting data through regular backups is essential.

• Regular backups: Perform regular, encrypted backups of critical systems and data. Ensure backups are stored offline or in secure cloud environments to prevent ransomware from encrypting backup data.
• Test recovery processes: Regularly test your ability to restore data and systems from backups to ensure that the recovery process is quick and effective in the event of a ransomware attack.

4.     Malware Sandboxing and Forensic Analysis

• Use sandbox environments: Test any suspicious files or attachments in isolated sandbox environments before allowing them into your network.
• Forensic investigation: If an attack occurs, conduct a detailed forensic investigation to understand the attack vectors and prevent future compromise

5.      Secure Development and Supply Chain Security

RomCom has demonstrated the ability to target software vulnerabilities and supply chains. Strengthen software development and supplier processes:

• Code review and secure coding practices: Ensure that developers follow secure coding practices to prevent vulnerabilities that RomCom could exploit. Perform regular code reviews and security assessments.
• Supply chain security: Vet suppliers and third-party vendors for security risks. Ensure that any software or hardware you purchase has been tested for vulnerabilities.