Category | Details |
---|---|
Threat Actors | UAT-5647 (also known as RomCom) – Russian-speaking group |
Campaign Overview | Active since late 2023, targeting Ukrainian government and Polish entities. Focus on espionage and potential ransomware attacks. |
Target Regions (Victims) | Ukrainian government entities and unknown Polish entities. |
Methodology | Spear-phishing emails, malware downloaders (RustyClaw, MeltingClaw), backdoors (DustyHammock, ShadyHammock), lateral movement, tunneling into enterprise. |
Product Targeted | Edge devices, internal network systems, and critical infrastructure of Ukrainian and Polish entities. |
Malware Reference | RomCom malware (SingleCamper), RustClaw, MeltingClaw, DustyHammock, ShadyHammock |
Tools Used | PuTTY’s Plink (for tunneling), Powershell (for reconnaissance), C++ and RUST-based tools, IPFS (InterPlanetary File System) |
Vulnerabilities Exploited | Tunneling through internal ports, network reconnaissance, compromised edge devices |
TTPs | Spear-phishing (T1071), Malware downloaders (T1070), Remote tunneling (T1572), Network discovery (T1016), Data exfiltration (T1560), System discovery (T1082) |
Attribution | Likely Russian-speaking actors, attributed to UAT-5647 based on previous incidents |
Recommendations | Use Cisco Secure Endpoint, Web Appliance, Email Security, Firewall, and Malware Analytics for detection. Multi-factor authentication with Cisco Duo. |
Source | Cisco Talos Blog |
Read full article : https://blog.talosintelligence.com/uat-5647-romcom/
The above summary has been generated by an AI language model
Leave a Reply