HomeCyber BalkansSPECTR Malware Targets Ukraine's Defense Forces

SPECTR Malware Targets Ukraine’s Defense Forces

Published on

spot_img

The recent cyber espionage campaign, known as “SickSync,” has reignited concerns in Ukraine as the Vermin group, specifically the UAC-0020 (Vermin) group, has resurfaced with a targeted attack on the Defense Forces of Ukraine. This malicious activity was detected and investigated by the government’s Computer Emergency Response Team of Ukraine (CERT-UA) in collaboration with the Cyber Security Center of the Armed Forces of Ukraine (CCB).

The Vermin group, which has links to law enforcement agencies in the temporarily occupied Luhansk region, has a history of targeting Ukrainian government institutions with remote access trojans (RATs) such as Quasar, Sobaken, and Vermin itself. This group’s activities are believed to align with the interests of the Luhansk People’s Republic (LPR), a region under Russian occupation.

The latest attack by the Vermin group involved the use of the SPECTR malware, which has been recognized since 2019 for its information-stealing capabilities. The malware is designed to capture screenshots every 10 seconds, extract files, gather data from removable USB drives, and steal credentials from various applications and web browsers including Element, Signal, Skype, and Telegram.

One of the notable tactics employed by the attackers was leveraging the legitimate SyncThing software to download stolen documents, files, passwords, and other sensitive information from compromised systems. SyncThing’s peer-to-peer connection capability made it an effective tool for data exfiltration in this cyber espionage campaign.

The attack was initiated through a spear-phishing email containing a password-protected RARSFX archive named “turrel.fop.vovchok.rar.” Upon opening the file, a PDF named “Wowchok.pdf,” an installer called “sync.exe,” and a BAT script named “run_user.bat” were extracted. The BAT file executed sync.exe, which contained both legitimate SyncThing components and SPECTR malware files, enabling the attackers to compromise the target systems.

The SPECTR malware comprises various modules, each with specific functions including SpecMon, Screengrabber, FileGrabber, Social, and Browsers. These modules work together to steal information such as screenshots, files, authentication data from messengers, and browser-related information, all of which are then copied to specific subfolders for transfer to the attackers’ systems using SyncThing’s synchronization feature.

In response to this cyber threat, CERT-UA has advised organizations to monitor interactions with SyncThing infrastructure as a way to detect potential infections. They have also recommended that cyber security personnel in the Armed Forces contact the Cyber Security Center to deploy appropriate protection technologies and ensure the transmission of network connection logs through the Syslog protocol on edge network devices.

The resurgence of the Vermin group and the utilization of the SPECTR malware underscore the persistent cyber threats faced by Ukraine. The collaboration between CERT-UA and the Cyber Security Center of the Armed Forces of Ukraine is seen as vital in countering these threats and safeguarding the country’s defense forces from cyber espionage activities.

As Ukraine continues to face evolving cyber threats, it is imperative for authorities and organizations to stay vigilant and implement robust cybersecurity measures to protect critical infrastructure and sensitive data from malicious actors seeking to exploit vulnerabilities for their gain.

Source link

Latest articles

When AI Acquires a Physical Form, It Inherits an Attack Surface

Embodied artificial intelligence (AI) constructs a bridge between the digital and physical realms by...

CISA Calls for Immediate Hardening of SharePoint Amid Rising Exploits

Understanding the Impact of Vulnerabilities in Cybersecurity In today’s rapidly evolving digital landscape, the distinction...

Single Prompt Empowers ChatGPT to Perform Complete Cyber-Attack Sequence

In a recent study, cybersecurity researchers from Cato Networks highlighted a significant concern about...

AI Appreciation Day: Security Leaders Suggest a Conditional Celebration

AI Appreciation Day: Reflections from the Security Industry Today marks AI Appreciation Day, an annual...

More like this

When AI Acquires a Physical Form, It Inherits an Attack Surface

Embodied artificial intelligence (AI) constructs a bridge between the digital and physical realms by...

CISA Calls for Immediate Hardening of SharePoint Amid Rising Exploits

Understanding the Impact of Vulnerabilities in Cybersecurity In today’s rapidly evolving digital landscape, the distinction...

Single Prompt Empowers ChatGPT to Perform Complete Cyber-Attack Sequence

In a recent study, cybersecurity researchers from Cato Networks highlighted a significant concern about...