Press ESC to close

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

CategoryDetails
Threat ActorsUAT-5647 (also known as RomCom) – Russian-speaking group
Campaign OverviewActive since late 2023, targeting Ukrainian government and Polish entities. Focus on espionage and potential ransomware attacks.
Target Regions (Victims)Ukrainian government entities and unknown Polish entities.
MethodologySpear-phishing emails, malware downloaders (RustyClaw, MeltingClaw), backdoors (DustyHammock, ShadyHammock), lateral movement, tunneling into enterprise.
Product TargetedEdge devices, internal network systems, and critical infrastructure of Ukrainian and Polish entities.
Malware ReferenceRomCom malware (SingleCamper), RustClaw, MeltingClaw, DustyHammock, ShadyHammock
Tools UsedPuTTY’s Plink (for tunneling), Powershell (for reconnaissance), C++ and RUST-based tools, IPFS (InterPlanetary File System)
Vulnerabilities ExploitedTunneling through internal ports, network reconnaissance, compromised edge devices
TTPsSpear-phishing (T1071), Malware downloaders (T1070), Remote tunneling (T1572), Network discovery (T1016), Data exfiltration (T1560), System discovery (T1082)
AttributionLikely Russian-speaking actors, attributed to UAT-5647 based on previous incidents
RecommendationsUse Cisco Secure Endpoint, Web Appliance, Email Security, Firewall, and Malware Analytics for detection. Multi-factor authentication with Cisco Duo.
SourceCisco Talos Blog

Read full article : https://blog.talosintelligence.com/uat-5647-romcom/

The above summary has been generated by an AI language model

Leave a Reply

Your email address will not be published. Required fields are marked *