UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

    Monday, October 21, 2024 In: Threat Research Print

    Date: 10/21/2024

    Severity: Medium

    Summary

    "UAT-5647" refers to a cyber threat actor targeting entities in Ukraine and Poland using variants of RomCom malware. This malware is designed to facilitate espionage and data theft. The attacks typically involve phishing campaigns and malicious software delivery, aiming to compromise sensitive information from government and private sector organizations. The threat emphasizes the ongoing geopolitical tensions in the region and the importance of cybersecurity measures to protect against such sophisticated threats.

    Indicators of Compromise (IOC) List

    URL/Domain

    dnsresolver.online

    apisolving.com

    rdcservice.org

    webtimeapi.com

    wirelesszone.top

    devhubs.dev

    pos-st.top 

    adcreative.pictures

    creativeadb.com

    copdaemi.top

    adbefnts.dev

    store-images.org

    http://apisolving.com

    http://wirelesszone.top

    http://adcreative.pictures

    http://creativeadb.com

    IP Address

    213.139.205.23

    23.94.207.116

    91.92.242.87

    192.227.190.127

    91.92.254.218

    91.92.248.75

    94.156.68.216

    193.42.36.131

    23.137.253.43

    193.42.36.132

    Hash

    12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9

260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd

9062d0f5f788bec4b487faf5f9b4bb450557e178ba114324ef7056a22b3fbe8b

43a15c4ee10787997682b79a54ac49a90d26a126f5eeeb8569022850a2b96057

aa09e9dca4994404a5f654be2a051c46f8799b0e987bcefef2b52412ac402105

585ed48d4c0289ce66db669393889482ec29236dc3d04827604cf778c79fda36

62f59766e62c7bd519621ba74f4d0ad122cca82179d022596b38bd76c7a430c4

9fd5dee828c69e190e46763b818b1a14f147d1469dc577a99b759403a9dadf04

b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df

7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4

f3fe04a7e8da68dc05acb7164b402ffc6675a478972cf624de84b3e2e4945b93

10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c

a265ae8fed205efb5bcc2fb59e60f743f45b7ad402cb827bc98dee397069830c

8104fdf9ff6be096b7e5011e362400ee8dd89d829c608be21eb1de959404b4b9

b55f70467f13fbad6dde354d8653d1d6180788569496a50b06f2ece1f57a5e91

bd25618f382fc032016e8c9bc61f0bc24993a06baf925d987dcec4881108ea2a

78eaaf3d831df27a5bc4377536e73606cd84a89ea2da725f5d381536d5d920d8

88a4b39fb0466ef9af2dcd49139eaff18309b32231a762b57ff9f778cc3d2dd7

01ebc558aa7028723bebd8301fd110d01cbd66d9a8b04685afd4f04f76e7b80c

7c9775b0f44419207b02e531c357fe02f5856c17dbd88b3f32ec748047014df8

54ce280ec0f086d89ee338029f12cef8e1297ee740af76dda245a08cb91bab4d

bf5f2bdc3d2acbfb218192710c8d27133bf51c1da1a778244617d3ba9c20e6f7

fdbc6648c6f922ffcd2b351791099e893e183680fc86f48bf18815d8ae98a4f7

ac9e3bf1cc87bc86318b258498572793d9fb082417e3f2ff17050cf6ec1d0bb5

0a02901d364dc9d70b8fcdc8a2ec120b14f3c393186f99e2e4c5317db1edc889

951b89f25f7d8be0619b1dfdcc63939b0792b63fa34ebfa9010f0055d009a2d3

2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab

45adf6f32f9b3c398ee27f02427a55bb3df74687e378edcb7e23caf6a6f7bf2a

B9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045

ce8b46370fd72d7684ad6ade16f868ac19f03b85e35317025511d6eeee288c64

9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2

1fa96e7f3c26743295a6af7917837c98c1d6ac0da30a804fed820daace6f90b0

dee849e0170184d3773077a9e7ce63d2b767bb19e85441d9c55ee44d6f129df9

2474a6c6b3df3f1ac4eadcb8b2c70db289c066ec4b284ac632354e9dbe488e4d

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "apisolving.com" or url like "apisolving.com" or userdomainname like "store-images.org" or url like "store-images.org" or userdomainname like "http://creativeadb.com" or url like "http://creativeadb.com" or userdomainname like "devhubs.dev" or url like "devhubs.dev" or userdomainname like "http://apisolving.com" or url like "http://apisolving.com" or userdomainname like "webtimeapi.com" or url like "webtimeapi.com" or userdomainname like "wirelesszone.top" or url like "wirelesszone.top" or userdomainname like "dnsresolver.online" or url like "dnsresolver.online" or userdomainname like "pos-st.top" or url like "pos-st.top" or userdomainname like "adbefnts.dev" or url like "adbefnts.dev" or userdomainname like "copdaemi.top" or url like "copdaemi.top" or userdomainname like "rdcservice.org" or url like "rdcservice.org" or userdomainname like "adcreative.pictures" or url like "adcreative.pictures" or userdomainname like "creativeadb.com" or url like "creativeadb.com" or userdomainname like "http://wirelesszone.top" or url like "http://wirelesszone.top" or userdomainname like "http://adcreative.pictures" or url like "http://adcreative.pictures"

    Detection Query 2

    dstipaddress IN ("91.92.254.218","91.92.248.75","23.137.253.43","213.139.205.23","91.92.242.87","193.42.36.132","192.227.190.127","23.94.207.116","94.156.68.216","193.42.36.131") or ipaddress IN ("91.92.254.218","91.92.248.75","23.137.253.43","213.139.205.23","91.92.242.87","193.42.36.132","192.227.190.127","23.94.207.116","94.156.68.216","193.42.36.131") or publicipaddress IN ("91.92.254.218","91.92.248.75","23.137.253.43","213.139.205.23","91.92.242.87","193.42.36.132","192.227.190.127","23.94.207.116","94.156.68.216","193.42.36.131") or srcipaddress IN ("91.92.254.218","91.92.248.75","23.137.253.43","213.139.205.23","91.92.242.87","193.42.36.132","192.227.190.127","23.94.207.116","94.156.68.216","193.42.36.131")

    Detection Query 3

    sha256hash IN ("9fd5dee828c69e190e46763b818b1a14f147d1469dc577a99b759403a9dadf04","a265ae8fed205efb5bcc2fb59e60f743f45b7ad402cb827bc98dee397069830c","8104fdf9ff6be096b7e5011e362400ee8dd89d829c608be21eb1de959404b4b9","01ebc558aa7028723bebd8301fd110d01cbd66d9a8b04685afd4f04f76e7b80c","7c9775b0f44419207b02e531c357fe02f5856c17dbd88b3f32ec748047014df8","0a02901d364dc9d70b8fcdc8a2ec120b14f3c393186f99e2e4c5317db1edc889","951b89f25f7d8be0619b1dfdcc63939b0792b63fa34ebfa9010f0055d009a2d3","2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab","ce8b46370fd72d7684ad6ade16f868ac19f03b85e35317025511d6eeee288c64","9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2","dee849e0170184d3773077a9e7ce63d2b767bb19e85441d9c55ee44d6f129df9","2474a6c6b3df3f1ac4eadcb8b2c70db289c066ec4b284ac632354e9dbe488e4d","9062d0f5f788bec4b487faf5f9b4bb450557e178ba114324ef7056a22b3fbe8b","78eaaf3d831df27a5bc4377536e73606cd84a89ea2da725f5d381536d5d920d8","aa09e9dca4994404a5f654be2a051c46f8799b0e987bcefef2b52412ac402105","88a4b39fb0466ef9af2dcd49139eaff18309b32231a762b57ff9f778cc3d2dd7","f3fe04a7e8da68dc05acb7164b402ffc6675a478972cf624de84b3e2e4945b93","7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4","1fa96e7f3c26743295a6af7917837c98c1d6ac0da30a804fed820daace6f90b0","b55f70467f13fbad6dde354d8653d1d6180788569496a50b06f2ece1f57a5e91","45adf6f32f9b3c398ee27f02427a55bb3df74687e378edcb7e23caf6a6f7bf2a","ac9e3bf1cc87bc86318b258498572793d9fb082417e3f2ff17050cf6ec1d0bb5","fdbc6648c6f922ffcd2b351791099e893e183680fc86f48bf18815d8ae98a4f7","260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd","54ce280ec0f086d89ee338029f12cef8e1297ee740af76dda245a08cb91bab4d","bf5f2bdc3d2acbfb218192710c8d27133bf51c1da1a778244617d3ba9c20e6f7","b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df","12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9","10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c","585ed48d4c0289ce66db669393889482ec29236dc3d04827604cf778c79fda36","62f59766e62c7bd519621ba74f4d0ad122cca82179d022596b38bd76c7a430c4","B9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045","43a15c4ee10787997682b79a54ac49a90d26a126f5eeeb8569022850a2b96057","bd25618f382fc032016e8c9bc61f0bc24993a06baf925d987dcec4881108ea2a")

    Reference: 

    https://blog.talosintelligence.com/uat-5647-romcom/  


    Tags

    MalwarePhishingData StealerGovernment Services and FacilitiesRomcom

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.