The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding cyber attacks targeting the nation’s defense forces. These attacks involve a malware named SPECTR and are part of an espionage campaign referred to as SickSync.
CERT-UA has attributed these attacks to a threat actor it identifies as UAC-0020, also known as Vermin, which is believed to be associated with the security agencies of the Luhansk People’s Republic (LPR). The LPR was declared a sovereign state by Russia shortly before its military invasion of Ukraine in February 2022.
The attack sequences begin with spear-phishing emails that contain a RAR self-extracting archive file. This file includes a decoy PDF document, a trojanized version of the SyncThing application incorporating the SPECTR payload, and a batch script that triggers the infection by launching the executable.
SPECTR functions as an information stealer, capturing screenshots every 10 seconds, harvesting files, collecting data from removable USB drives, and extracting credentials from web browsers and applications such as Element, Signal, Skype, and Telegram.
“At the same time, the standard synchronization functionality of the legitimate SyncThing software was utilized to upload stolen documents, files, passwords, and other information from the compromised computer. This functionality includes the capability to establish a peer-to-peer connection between computers,” CERT-UA stated
SickSync signifies the resurgence of the Vermin group after a prolonged absence. This group was previously observed orchestrating phishing campaigns aimed at Ukrainian state bodies to deploy the SPECTR malware in March 2022. The actor has been known to use SPECTR since 2019.
The name Vermin also refers to a .NET remote access trojan that has targeted various Ukrainian government institutions for nearly eight years. It was first publicly reported by Palo Alto Networks Unit 42 in January 2018, with subsequent analysis by ESET tracing the attacker’s activities back to October 2015.
This disclosure coincides with CERT-UA’s warning of social engineering attacks leveraging the Signal instant messaging app as a distribution vector to deliver a remote access trojan called DarkCrystal RAT (also known as DCRat). These attacks have been linked to an activity cluster codenamed UAC-0200.
“Once again, we observe a trend towards an increase in the intensity of cyberattacks using messengers and legitimate compromised accounts,” the agency noted. “In these cases, the victim is often encouraged to open the file on their computer.”
This development follows the discovery of a malware campaign conducted by Belarusian state-sponsored hackers known as GhostWriter (also referred to as UAC-0057 and UNC1151). This campaign employs booby-trapped Microsoft Excel documents in attacks targeting the Ukrainian Ministry of Defense.
“Upon execution of the Excel document, which contains an embedded VBA Macro, it drops an LNK and a DLL loader file,” stated Symantec, a Broadcom-owned company. “Subsequently, running the LNK file initiates the DLL loader, potentially leading to a suspected final payload that includes AgentTesla, Cobalt Strike beacons, and njRAT.”
Source: TheHackerNews
