Ukrainian and Polish entities targeted with RomCom malware variants
Essential information
- Published
- 17/10/2024 16:16
- Modified
- 18/10/2024 08:50
- Tags
- 2024-10-17 dustyhammock meltingclaw poland romcom russia rustclaw rustyclaw shadyhammock singlecamper ukraine
- Related entities
- 1 intrusion sets (apt), 9 techniques (mitre), 6 malware, 3 others
Description
A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock backdoor. The attacks involve spear-phishing campaigns delivering these malware components, which ultimately lead to the deployment of an updated version of the RomCom malware called SingleCamper. UAT-5647's activities suggest a focus on establishing long-term access for data exfiltration, with potential for future ransomware deployment. The group's tactics include network reconnaissance, lateral movement, and attempts to compromise edge devices for evasion purposes.