Refresh of RomCom malware pops up in Ukrainian, Polish organizations
Researchers have identified a new wave of attacks targeting high-profile Ukrainian government entities and unidentified Polish organizations using an updated version of the RomCom malware.
The objective of these attacks is to establish long-term access to victims' systems and exfiltrate data “of strategic interest.” The hackers may later deploy ransomware on compromised devices to pursue financial gain, according to the latest report by cybersecurity firm Cisco Talos.
RomCom, also tracked as Storm-0978, is known for targeting defense and government entities in Europe and North America. It engages in both ransomware and espionage attacks and is attributed to Russian-speaking threat actors. RomCom takes its name from the custom malware it has been using since at least 2022.
In its latest campaign analyzed by Cisco Talos, the group delivers the updated RomCom malware to victims through phishing emails. It allows the attackers to execute commands and download additional tools onto victims' devices.
The new RomCom variant — which the researchers are labeling SingleCamper — sends system information to hacker-controlled servers, allowing them to assess whether the compromised system is worth further exploitation. The malware can also exfiltrate files with specific extensions.
According to the research by Palo Alto Networks, the earliest version of this new RomCom variant — tracked by them as SnipBot — was submitted from Ukraine to the VirusTotal repository in December 2023. Cisco Talos tracked the start of the latest campaign to around the same time.
In a phishing email uncovered by researchers, the threat actor impersonated a legitimate organization and used a PDF document disguised as a resume as bait. According to Palo Alto Networks, RomCom used the new variant against a broad range of victims, including companies in the technology, legal and agriculture sectors.
Last year, hackers linked to RomCom targeted Ukraine and its allies ahead of a NATO Summit in Lithuania. They likely exploited the event’s high profile to infect guests with malicious software.
RomCom has also previously been used against Ukrainian military organizations, IT companies, and politicians collaborating with Western nations, according to BlackBerry. Other victims included a U.S.-based healthcare company providing humanitarian aid to Ukrainian refugees receiving medical assistance in the U.S.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.