Ukraine’s Computer Emergency Response Team (CERT-UA) has signaled cyber assaults aimed at defense forces in the nation using a malware named SPECTR in a spying campaign dubbed SickSync.
The organization connected the attacks to a cyber threat actor known as UAC-0020, also identified as Vermin, with ties to security agencies of the Luhansk People’s Republic (LPR). LPR was recognized as a sovereign state by Russia before its military incursion into Ukraine in February 2022.
The attack sequences begin with targeted phishing emails having a compressed RAR archive file holding a deceptive PDF, a manipulated version of the SyncThing tool with the SPECTR payload, and a script that enacts the malware by launching the program.
SPECTR functions as a data collector by taking screenshots every 10 seconds, acquiring files, amassing information from removable USB drives, and stealing login credentials from web browsers and platforms such as Element, Signal, Skype, and Telegram.
“Moreover, to transmit stolen documents, files, passwords, and other details from the device, the legitimate SyncThing software’s common synching feature was exploited, enabling peer-to-peer connections between devices,” CERT-UA mentioned.
SickSync unveils the comeback of the Vermin group following a prolonged absence, which was formerly noted as initiating phishing operations against Ukrainian government bodies to implant the SPECTR malware in March 2022. The actor has been using SPECTR since 2019.
Vermin is also linked to a .NET remote access trojan that has targeted diverse Ukrainian government entities for almost eight years. It was initially reported in January 2018 by Palo Alto Networks Unit 42, followed by an evaluation by ESET pointing back to attacker activities from October 2015.
This development coincides with CERT-UA’s alert of social engineering offensives using the Signal messaging app as a conduit to distribute the DarkCrystal RAT (also known as DCRat), attributed to an activity cluster known as UAC-0200.
“Once again, there is a rise in cyberattacks leveraging messaging platforms and compromised legitimate accounts,” the organization noted. “The victim is indirectly coerced to open the file on their device.”
Furthermore, a malware campaign conducted by Belarusian state-backed hackers named GhostWriter (also known as UAC-0057 and UNC1151) has been discovered, employing malicious Microsoft Excel documents in assaults on the Ukrainian Ministry of Defense.
“Upon the launching of the Excel document, embedding a VBA Macro, it deploys an LNK file and a DLL loader,” Symantec, owned by Broadcom, highlighted. “Subsequently, running the LNK file triggers the DLL loader, possibly leading to a final payload containing AgentTesla, Cobalt Strike beacons, and njRAT.”
About Author
