Attacks with the latest RomCom RAT variant called SingleCamper, also known as RomCom 5.0 and SnipBot, have been deployed by Russian threat operation RomCom, against government agencies in Ukraine and unknown organizations in Poland since late last year, The Hacker News reports.
Malicious spear-phishing messages have been leveraged by RomCom — also known as Storm-0978, UAC-0180, Void Rabisu, UNC2596, and Tropical Scorpius — to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan, according to a report from Cisco Talos. Such intrusions indicate RomCom's efforts to "establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise," researchers noted. The development comes after the UAC-0050 threat operation was reported by Ukraine's Computer Emergency Response Team to have leveraged Remcos RAT and other malicious payloads to facilitate data and financial theft activities.