The recent cyber espionage campaign, known as “SickSync,” has reignited concerns in Ukraine as the Vermin group, specifically the UAC-0020 (Vermin) group, has resurfaced with a targeted attack on the Defense Forces of Ukraine. This malicious activity was detected and investigated by the government’s Computer Emergency Response Team of Ukraine (CERT-UA) in collaboration with the Cyber Security Center of the Armed Forces of Ukraine (CCB).

The Vermin group, which has links to law enforcement agencies in the temporarily occupied Luhansk region, has a history of targeting Ukrainian government institutions with remote access trojans (RATs) such as Quasar, Sobaken, and Vermin itself. This group’s activities are believed to align with the interests of the Luhansk People’s Republic (LPR), a region under Russian occupation.

The latest attack by the Vermin group involved the use of the SPECTR malware, which has been recognized since 2019 for its information-stealing capabilities. The malware is designed to capture screenshots every 10 seconds, extract files, gather data from removable USB drives, and steal credentials from various applications and web browsers including Element, Signal, Skype, and Telegram.

One of the notable tactics employed by the attackers was leveraging the legitimate SyncThing software to download stolen documents, files, passwords, and other sensitive information from compromised systems. SyncThing’s peer-to-peer connection capability made it an effective tool for data exfiltration in this cyber espionage campaign.

The attack was initiated through a spear-phishing email containing a password-protected RARSFX archive named “turrel.fop.vovchok.rar.” Upon opening the file, a PDF named “Wowchok.pdf,” an installer called “sync.exe,” and a BAT script named “run_user.bat” were extracted. The BAT file executed sync.exe, which contained both legitimate SyncThing components and SPECTR malware files, enabling the attackers to compromise the target systems.

The SPECTR malware comprises various modules, each with specific functions including SpecMon, Screengrabber, FileGrabber, Social, and Browsers. These modules work together to steal information such as screenshots, files, authentication data from messengers, and browser-related information, all of which are then copied to specific subfolders for transfer to the attackers’ systems using SyncThing’s synchronization feature.

In response to this cyber threat, CERT-UA has advised organizations to monitor interactions with SyncThing infrastructure as a way to detect potential infections. They have also recommended that cyber security personnel in the Armed Forces contact the Cyber Security Center to deploy appropriate protection technologies and ensure the transmission of network connection logs through the Syslog protocol on edge network devices.

The resurgence of the Vermin group and the utilization of the SPECTR malware underscore the persistent cyber threats faced by Ukraine. The collaboration between CERT-UA and the Cyber Security Center of the Armed Forces of Ukraine is seen as vital in countering these threats and safeguarding the country’s defense forces from cyber espionage activities.

As Ukraine continues to face evolving cyber threats, it is imperative for authorities and organizations to stay vigilant and implement robust cybersecurity measures to protect critical infrastructure and sensitive data from malicious actors seeking to exploit vulnerabilities for their gain.

Source link