The Cisco Talos team, specializing in cyber threat analysis, has reported a new wave of attacks conducted by the Russian-speaking group UAT-5647, also known as RomCom. These attacks, occurring since the end of 2023, are directed at institutions in Poland and Ukraine.
The group’s modus operandi relies on injecting malicious software directly into computer memory, significantly complicating its detection by security software. Such attacks involve loading malicious code into operating memory, intending to minimize traces and increase chances of long-term persistence in the victim’s system.
The goal of these actions is to obtain long-term access to data and steal it, which could lead to serious consequences for national security and the stability of institutions in the region. Given this growing threat, it is critical for organizations to take action to protect their data and infrastructure.
Infection Chain
The infection chain of UAT-5647 begins with a spear-phishing message, or a personalized e-mail that contains a malicious attachment or link. Upon opening it, malicious software (downloader) is installed, laying the groundwork for further infection and securing permanent system access.
Then, two backdoors are launched – DustyHammock and ShadyHammock, which are malicious programs or hidden mechanisms in software that allow the attackers unauthorized access to the system, usually without the user’s knowledge. DustyHammock is the primary component that communicates with the attackers’ server and follows their commands. ShadyHammock has a more complex role – it activates additional malicious software (SingleCamper) and may receive commands from other malicious tools, giving attackers broader control over the infected system.
Cyberattack Strategy
Cisco Talos estimates that the current activities of UAT-5647 serve a dual strategy – the group seeks to obtain long-term system access to exfiltrate strategic significance data, and at a later stage, it may introduce ransomware software for financial benefits and disruption of the attacked systems’ operations.
It’s worth noting that the group is using increasingly advanced techniques, using different programming languages like GoLang, C++, RUST, and LUA. Recent CERT-UA reports also confirm thiss.
Upon network breach, UAT-5647 conducts initial reconnaissance (network mapping) and downloads the Plink tool (part of PuTTY) to establish remote tunnels between infected endpoints and servers controlled by the attackers. This is quite a common technique, however, in one case, a tunnel was configured to an internal administrative port of an edge device. This allows the attackers to gain access to the administrative system remotely, which provides them with the opportunity for further actions, such as monitoring or stealing data from the internal infrastructure.
Importance of Cyber Defense
The RomCom attacks pose a serious threat to both Ukrainian and Polish institutions. The group aggressively expands its technical capabilities and infrastructure, which complicates defense against its attacks. The Cisco Talos team recommends implementing advanced network security measures and monitoring suspicious activities to minimize the risk of cyber-attacks on key institutions in the region.
Source: https://managerplus.pl/nowa-fala-atakow-cybernetycznych-skierowanych-przeciwko-ukrainie-i-polsce-16293
