Follow on X RSS Feed
Malware

UAT-5647’s SingleCamper Malware: A Silent Network Infiltrator

Cybersec Sentinel

4 min read
UAT-5647’s SingleCamper Malware: A Silent Network Infiltrator
GPT

Threat Group: RomCom (aka UAT-5647)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Spear-phishing, network tunneling, credential theft
Malware Used: SingleCamper RAT, RustyClaw, MeltingClaw, DustyHammock, ShadyHammock
Threat Score: High (8.3/10) — Advanced persistence mechanisms, stealthy network operations, and a dual-focus on espionage and ransomware deployment
Last Threat Observation: October 2024

Overview

The SingleCamper RAT is a sophisticated malware variant used by the RomCom group (tracked as UAT-5647) to conduct espionage-focused operations against government and critical infrastructure entities, primarily in Ukraine and Poland. These campaigns have been active since late 2023, evolving through the use of advanced loaders and backdoors to achieve long-term persistence within targeted networks. RomCom is known for its multi-faceted operations, focusing on data exfiltration for espionage purposes with the potential for ransomware deployment to disrupt operations and generate financial gain.

This RAT is deployed as part of a multi-stage infection chain that utilizes spear-phishing emails, memory-only execution, and registry-based payload delivery to evade detection. The malware’s stealth and robust post-compromise activities make it a serious threat to the cybersecurity landscape, especially for government agencies and enterprises handling sensitive data.

Key Details

  1. Delivery Method: Spear-phishing emails designed to appear legitimate to targeted users. The email typically contains a malicious attachment or link that initiates the download of RustyClaw or MeltingClaw, which are used as the primary downloaders.
  2. Target: Government entities in Ukraine and Poland, with a strong indication that RomCom is expanding its activities across Europe, focusing on strategic geopolitical data.
  3. Malware Components:
    • RustyClaw: A RUST-based downloader that, once executed, proceeds to install the next-stage malware. It is particularly stealthy due to its anti-analysis features, such as keyboard layout checks to ensure the victim's language matches the target (Polish, Ukrainian, Russian).
    • MeltingClaw: A C++ downloader that functions similarly to RustyClaw but is more commonly seen in different phases of the attack. It also loads additional payloads into the Windows registry, bypassing disk storage.
    • ShadyHammock and DustyHammock: Backdoors used for post-compromise activities, including reconnaissance and executing commands issued from the command-and-control (C2) server.
    • SingleCamper: The key RAT responsible for data exfiltration and lateral movement once ShadyHammock establishes communication with the C2 server.
  4. Obfuscation: The malware operates almost entirely in memory, executing from the registry rather than disk. By leveraging the Windows registry to store and execute payloads, RomCom’s malware can bypass traditional endpoint security measures, making detection more difficult.
  5. Post-compromise activities: Following initial infection, the malware conducts system discovery, lateral movement, and reconnaissance. Attackers use tools like PuTTY's Plink to establish encrypted network tunnels, enabling them to exfiltrate data undetected and to maintain remote access for prolonged periods.

Attack Vectors

The RomCom group leverages spear-phishing emails that contain malware-laden attachments or malicious links. The malware, once activated, uses downloaders like RustyClaw or MeltingClaw to set up a persistence mechanism. These downloaders deploy additional malware, DustyHammock and ShadyHammock, which facilitate the loading of the SingleCamper RAT directly from the registry.

  • RustyClaw and MeltingClaw downloaders: The spear-phishing attack begins with either of these downloaders, which check the keyboard layout to ensure the malware is targeting the intended country (Polish, Ukrainian, or Russian-speaking users). The downloaders proceed to establish the persistence necessary to launch the final payloads.
  • ShadyHammock and DustyHammock backdoors: These backdoors enable the attackers to execute system commands and gather intelligence. ShadyHammock, in particular, plays a critical role in loading the SingleCamper RAT, which is capable of exfiltrating sensitive data.
  • PuTTY’s Plink tool: After initial compromise, Plink is used to establish secure tunnels between the infected systems and the attackers’ infrastructure. This allows attackers to evade detection while they extract valuable data or further infiltrate the network.

Known Indicators of Compromise (IoCs)

File Hashes:

RustyClaw:

  • 12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9
  • 260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd
  • 9062d0f5f788bec4b487faf5f9b4bb450557e178ba114324ef7056a22b3fbe8b
  • 43a15c4ee10787997682b79a54ac49a90d26a126f5eeeb8569022850a2b96057
  • aa09e9dca4994404a5f654be2a051c46f8799b0e987bcefef2b52412ac402105
  • 585ed48d4c0289ce66db669393889482ec29236dc3d04827604cf778c79fda36
  • 62f59766e62c7bd519621ba74f4d0ad122cca82179d022596b38bd76c7a430c4
  • 9fd5dee828c69e190e46763b818b1a14f147d1469dc577a99b759403a9dadf04
  • b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df
  • 7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4
  • f3fe04a7e8da68dc05acb7164b402ffc6675a478972cf624de84b3e2e4945b93
  • 10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c
  • a265ae8fed205efb5bcc2fb59e60f743f45b7ad402cb827bc98dee397069830c
  • 8104fdf9ff6be096b7e5011e362400ee8dd89d829c608be21eb1de959404b4b9
  • b55f70467f13fbad6dde354d8653d1d6180788569496a50b06f2ece1f57a5e91
  • bd25618f382fc032016e8c9bc61f0bc24993a06baf925d987dcec4881108ea2a
  • 78eaaf3d831df27a5bc4377536e73606cd84a89ea2da725f5d381536d5d920d8
  • 88a4b39fb0466ef9af2dcd49139eaff18309b32231a762b57ff9f778cc3d2dd7
  • 01ebc558aa7028723bebd8301fd110d01cbd66d9a8b04685afd4f04f76e7b80c
  • 7c9775b0f44419207b02e531c357fe02f5856c17dbd88b3f32ec748047014df8
  • 54ce280ec0f086d89ee338029f12cef8e1297ee740af76dda245a08cb91bab4d
  • bf5f2bdc3d2acbfb218192710c8d27133bf51c1da1a778244617d3ba9c20e6f7
  • fdbc6648c6f922ffcd2b351791099e893e183680fc86f48bf18815d8ae98a4f7
  • ac9e3bf1cc87bc86318b258498572793d9fb082417e3f2ff17050cf6ec1d0bb5
  • 0a02901d364dc9d70b8fcdc8a2ec120b14f3c393186f99e2e4c5317db1edc889

DustyHammock:

  • 951b89f25f7d8be0619b1dfdcc63939b0792b63fa34ebfa9010f0055d009a2d3

PuTTY Plink:

  • 2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab

MeltingClaw:

  • 45adf6f32f9b3c398ee27f02427a55bb3df74687e378edcb7e23caf6a6f7bf2a
  • B9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045

ShadyHammock:

  • ce8b46370fd72d7684ad6ade16f868ac19f03b85e35317025511d6eeee288c64
  • 9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2
  • 1fa96e7f3c26743295a6af7917837c98c1d6ac0da30a804fed820daace6f90b0

SingleCamper:

  • dee849e0170184d3773077a9e7ce63d2b767bb19e85441d9c55ee44d6f129df9
  • 2474a6c6b3df3f1ac4eadcb8b2c70db289c066ec4b284ac632354e9dbe488e4d

Network IOCs:

  • 213[.]139[.]205[.]23
  • dnsresolver[.]online
  • apisolving[.]com
  • hxxp[://]apisolving[.]com:443/DKgitTDJfiP
  • rdcservice[.]org
  • 23[.]94[.]207[.]116
  • webtimeapi[.]com
  • 91[.]92[.]242[.]87
  • wirelesszone[.]top
  • hxxp[://]wirelesszone[.]top:433/OfjdDebdjas
  • 192[.]227[.]190[.]127
  • devhubs[.]dev
  • 91[.]92[.]254[.]218
  • pos-st[.]top
  • hxxp[://]adcreative[.]pictures:443/kjLY1Ul8IMO
  • adcreative[.]pictures
  • 91[.]92[.]248[.]75
  • creativeadb[.]com
  • 94[.]156[.]68[.]216
  • hxxp[://]creativeadb[.]com:443/n9JTcP62OvC
  • 193[.]42[.]36[.]131
  • copdaemi[.]top
  • adbefnts[.]dev
  • 23[.]137[.]253[.]43
  • store-images[.]org
  • 193[.]42[.]36[.]132
  • /ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm

Mitigation and Prevention

  1. User Awareness and Training: Conduct regular phishing simulation training to educate users on recognizing spear-phishing attempts. Given the sophisticated nature of the emails involved in these attacks, users must be vigilant in avoiding clicking on suspicious links or attachments.
  2. Email Filtering and Security: Implement robust email filtering to block spear-phishing attempts. Security tools that can filter malicious attachments and links in incoming emails should be deployed.
  3. Endpoint Security: Deploy advanced endpoint detection and response (EDR) solutions that can monitor for memory-resident malware and detect unusual registry activity, which is commonly used by RomCom’s malware for persistence.
  4. Network Segmentation: Ensure that critical infrastructure and sensitive data are segmented from other parts of the network. This can limit the lateral movement of attackers who breach the network perimeter.
  5. Log Monitoring and Analysis: Enable log analysis and monitoring solutions to detect unusual patterns, such as tunneling attempts or lateral movement. Tools like PuTTY’s Plink, often used in these campaigns, should trigger alerts if detected.
  6. Patch Management: Regularly patch software vulnerabilities, especially in edge devices, as RomCom targets weak points in network infrastructure. Keeping systems up to date reduces the attack surface for exploits.

Conclusion

The SingleCamper RAT represents a high-level threat due to its stealth, persistence, and the extensive capabilities it grants the attacker. RomCom’s dual-focus on espionage and ransomware makes this a particularly dangerous adversary, especially for government agencies and critical infrastructure. Organizations should strengthen their phishing defenses, monitor network traffic for tunneling activity, and ensure systems are fully patched to mitigate the risks posed by SingleCamper and the broader RomCom malware family.

Sources: