Affirmative-0020 exploited SPECTR Malware to focus on Ukraine defense forces

AndyC 8 June 2024

The SPECTR Malware was wielded by Affirmative-0020 to target the defense forces of Ukraine

UAC-0020 used SPECTR Malware to target Ukraine defense forces

The SPECTR Malware was wielded by Affirmative-0020 to target the defense forces of Ukraine

Pierluigi Paganini
June 07, 2024

Ukraine CERT-UA alerted about cyber offenses aiming at defense forces with SPECTR malware in a cyber espionage endeavor named SickSync.

Ukraine’s Computer Emergency Response Team (CERT-UA) issued a warning regarding a cyber espionage operation targeting the defense forces within Ukraine. This attack is attributed to the culprit Affirmative-0020, which utilized the SPECTR Malware as part of the SickSync campaign.

The perpetrator Affirmative-0020, also known as Vermin, functions under the jurisdiction of the law enforcement bodies of the temporarily held Luhansk region.

SPECTR Malware has been operational since at least 2019, enabling operators to purloin confidential data and files from the infected system. It leverages the standard synchronization capabilities of the legitimate SyncThing software.

Miscreants disseminated spear-phishing communications with an attachment presented as a password-protected archive labeled “turrel.fop.vovchok.rar”.

The archive contains an additional archive named RARSFX archive (“turrel.fop.ovchok.sfx.rar.scr”) harboring the “Wowchok.pdf” decoy file, the “sync.exe” EXE installer crafted using InnoSetup, and the BAT file ” run_user.bat” utilized for initial launch.

The UA-CERT notes that the “sync.exe” file comprises genuine SyncThing components and SPECTR malware files, along with supplementary libraries and scripts. Attackers tampered with the standard files of SyncThing software to alter directory names, scheduled tasks, disable message display functionalities for users, etc.

The SPECTR information exfiltrator captures screenshots every 10 seconds, retrieves files, extracts data from removable USB drives, and pilfers credentials from web browsers and applications such as Element, Signal, Skype, and Telegram.

“It should be observed that the pilfered information is duplicated into subfolders within the directory %APPDATA%syncSlave_Sync, afterward, employing the standard synchronization capabilities of the genuine software SyncThing, the contents from these directories are transferred to the perpetrator’s device, facilitating the data exfiltration.” as stated in the report from the CERT-UA. The report also includes indicators of cyber threats.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ThinkPHP)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,

More Stories

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

AndyC 19 December 2025
GhostPairing campaign abuses WhatsApp device linking to hijack accounts

GhostPairing campaign abuses WhatsApp device linking to hijack accounts

AndyC 19 December 2025
Smashing Security podcast #448: The Kindle that got pwned

Smashing Security podcast #448: The Kindle that got pwned

AndyC 18 December 2025
SonicWall warns of actively exploited flaw in SMA 100 AMC

SonicWall warns of actively exploited flaw in SMA 100 AMC

AndyC 18 December 2025
Securing the Road Ahead: The Intersection of Cybersecurity and Intelligent Transportation

Securing the Road Ahead: The Intersection of Cybersecurity and Intelligent Transportation

AndyC 18 December 2025
Memory efficiency: Apple’s new competitive advantage

GNV ferry fantastic under cyberattack probe amid remote hijack fears

AndyC 18 December 2025

You may have missed

Blog-5-300x200-1.jpg

How To Spot Health Insurance Scams This Open Enrollment Season

AndyC 19 December 2025
U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

AndyC 19 December 2025
GhostPairing campaign abuses WhatsApp device linking to hijack accounts

GhostPairing campaign abuses WhatsApp device linking to hijack accounts

AndyC 19 December 2025
2025 Federal Retrospective: The Year of Resilient Innovation

2025 Federal Retrospective: The Year of Resilient Innovation

AndyC 19 December 2025
The Biggest Cyber Stories of the Year: What 2025 Taught Us

The Biggest Cyber Stories of the Year: What 2025 Taught Us

AndyC 19 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.