By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura.
UAT-5647 has long been considered a multi-motivational threat actor performing both ransomware and espionage-oriented attacks. However, UAT-5647 has accelerated their attacks in recent months with a clear focus on establishing long-term access for exfiltrating data of strategic interest to them. Our assessment, in line with recent reporting from CERT-UA and Palo Alto Networks, indicates that the threat actor is aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms such as GoLang, C++, RUST and LUA.
Talos further assesses that this specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647's two-pronged strategy in a staged manner - establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise. It is also likely that Polish entities were also targeted, based on the keyboard language checks performed by the malware.
The infection chain consists of a spear-phishing message delivering a downloader consisting of either of two variants: "RustyClaw" - a RUST-based downloader, and a C++ based variant we track as "MeltingClaw". The downloaders make way for and establish persistence for two distinct backdoors we call "DustyHammock" and "ShadyHammock," respectively.
DustyHammock is a more straightforward backdoor meant to be the core malicious component of the infection communicating with its command and control (C2) and performing malicious actions. ShadyHammock is, however, a two-pronged backdoor responsible for loading and activating the SingleCamper implant (RomCom malware variant) on an infected system and optionally listening for incoming commands from another malicious component.
The overall infection chain can be visualized as:
The post-compromise activity by UAT-5647 is standard to what we would expect for a threat actor whose primary motivation is espionage. There is however one set of actions that stand out. It is our assessment that at some point the threat actor started targeting the edge devices, from inside the compromised network. This and other activities are detailed in the following sub-sections.
Once preliminary network reconnaissance was completed, UAT-5647 downloaded PuTTY's Plink tool to establish remote tunnels between accessible endpoints and attacker-controlled servers [T1572]. While this is a common practice, one of the configurations was mapping the internal admin port of an edge device.
Any traffic sent to Port 8088 on the attacker-controlled remote server will be forwarded to Port 80 on (<IP_IN_INFECTED_NETWORK>). This technique effectively exposes the application on Port 80 to the attackers allowing them to:
Based on URLs exposed to the threat actors now on Port 8088 such as "hxxp[://]193[.]42[.]36[.]131:8088/help/LanArpBindingListHelpRpm[.]htm", "userRpm/VirtualServerRpm.htm", and Censys data, it is likely that the <IP_IN_INFECTED_NETWORK> IP address is a "TP-LINK Wireless G Router WR340G".
The threat actors were particularly interested in network reconnaissance, evident from the repeated ping sweeps they carried out to find adjoining systems [T1016]:
Once UAT-5647 deemed a specific system on the network as interesting, they can take one of two actions:
Based on the results of the ping sweep (ICMP sweep), UAT-5647 created and executed a customized batch (BAT) file named "nv[.]bat". The BAT file is used to run "net view" to obtain a list of shares exposed on specific IPs [T1135]:
UAT-5647 further pinged additional endpoints in the network, this time however using their hostnames and specific IPs [T1016]:
A successful response from the system leads to shared folder reconnaissance [T1135]:
They began to run highly specific port scans on it, likely to find means of obtaining unauthorized access to it:
Later the threat actor expanded their port scans to other IP address in the network:
Even though the C2 may have automatically issued a limited set of commands to the last-stage implants, the attackers open a reverse shell (via cmd[.]exe) to conduct further reconnaissance. This activity primarily consists of user and system discovery tasks:
In parallel, we also observed the operators attempting to stage entire drives for exfiltration from the infected system [T1560]:
However, they also collected specific folders on disk too. In this specific case the threat actor is exfiltrating the "Recent" folder in, what seems, an attempt to understand the victim's latest activity on the system.
RustyClaw is a RUST-based malware downloader that is targeted towards Polish, Ukrainian or Russian speaking users. The malware checks the Keyboard Layout to match one of the following language codes, before proceeding with its malicious activities:
RustyClaw will then generate a hash for its file name to match it with a hardcoded value - this is an anti-analysis feature to prevent malware from running in sandboxes with randomized names.
Once the checks have passed, the downloader will optionally download a decoy PDF to display to the infected user and then download the next-stage implant, DustyHammock, to locations on disk such as:
C:\Users\<user>\AppData\Local\KeyStore\keyprov.dll
Then the following registry values are set to the path of the next-stage payload (keyprov[.]dll):
HKCU\SOFTWARE\Classes\CLSID\{2155fee3-2419-4373-b102-6843707eb41f}\InprocServer32
This GUID is the CLISD for "CLSID_LocalIconCache", that is the ThumbCache entry. It is used by explorer[.]exe while rendering the thumbnails for file icons.
The downloader will then restart the explorer[.]exe process to load the next-stage payload DLL, DustyHammock, effectively trojanizing the process:
cmd /C timeout 3 && taskkill /f /im explorer.exe && start explorer.exe
DustyHammock is another RUST-based backdoor. It is configured to run preliminary, hardcoded, reconnaissance commands on the infected system, gather their outputs, and send the information to its C2. The C2 then begins responding with tasks to perform on the infected system. The preliminary information collected is the MAC addresses, windows version information, and computer\username via the "whoami" and "chcp" commands.
The backdoor has the following capabilities:
InterPlanetary File System (IPFS) is a peer-to-peer network allowing resource hosting in a decentralized manner. InterPlanetary Name System (IPNS), a feature of IPFS, enables mutable referencing of resources hosted on IPFS networks, allowing uploaders to modify the content of the resource without changing its identifier (CID).
Note that although similar in names, DustyHammock and ShadyHammock are in fact distinct implant families. ShadyHammock is coded in C++ and contains additional capabilities to bind itself and listen for incoming requests - a capability missing in DustyHammock. Although ShadyHammock consists of more features, DustyHammock seems to be the successor to it and was used as recently as September 2024 by UAT-5647. UAT-5647 likely decided to abandon additional components such as SingleCamper (loaded by ShadyHammock) in favor of a single last-stage implant, DustyHammock.
MeltingClaw is the second malware downloader UAT-5647 has used in this series of attacks. It is similar in behavior to RustyClaw with varying configurations such as file names and locations. The next-stage payload, ShadyHammock, is dropped to a similar location such as:
This DLL is loaded into explorer[.]exe by specifying it in the registry key:
HKEY_USERS\S-1-..-CLASSES\CLSID\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\InprocServer32\
This GUID is the "Sync Registration" COM interface and is loaded into explorer[.]exe as well.
Apart from these capabilities that are common with RustyClaw, MeltingClaw will also download and store additional payloads in the Windows registry:
HKEY_CURRENT_USER\Software\AppDataSoft\Software\
These payloads are then loaded and activated by ShadyHammock via explorer[.]exe as illustrated next. One of the payloads is a new variant of the RomCom backdoor, we track as "SingleCamper". The other payload is currently unknown.
ShadyHammock is a simple and effective backdoor that carries out two primary tasks:
The malware will read registry locations, specifically in location:
HKEY_CURRENT_USER\Software\AppDataSoft\Software\
There are usually three values in this registry key, two containing encoded copies of next stage payloads and the third containing configuration specific data such as the implant's versions.
The binary content of these registry values is read and decoded, resulting in a DLL that is simply traversed to find the export function. The resulting DLLs are loaded into memory to carry out more malicious activities. So far Talos has only discovered one DLL-based payload from registry, that we track as "SingleCamper". SingleCamper, a new version of the RomCom malware, was also recently disclosed in Palo Alto's report as SnipBot.
The other payload is yet to be discovered (usually in the "trem2" or "state2" registry values). However, ShadyHammock already has the capability to deploy this payload on-demand provided that a specific command code is sent to it via the endpoint's localhost interface.
ShadyHammock also consists of the ability to bind to a specific port (such as 1342) on localhost (127[.]0[.]0[.]1). Binding to localhost does not allow it to listen for incoming requests from remote hosts and is a mechanism to communicate with SingleCamper.
ShadyHammock will listen for specific command phrases based on which it performs specific actions. These actions consist of:
These commands are in fact issued to ShadyHammock by SingleCamper (RomCom). SingleCamper's C2 server will issue a specific command code to it based on which the malware will generate the command phrase such as "delete bot" and send it to ShadyHammock via the localhost interface.
SingleCamper issuing commands to ShadyHammock via localhost
SingleCamper is the key implant in this infection that carries out all of the malicious post-compromise activities. It is loaded by ShadyHammock after being read and decoded from the Windows registry.
SingleCamper consists of the following capabilities:
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.