The resurgence of Vermin hackers has been detected by Ukrainian cyber defenders after a prolonged hiatus of two years. The hacker group has resurfaced targeting the country’s defense forces with spear-phishing emails carrying SPECTR malware, which functions as a remote access trojan (RAT).
The Computer Emergency Response Team of Ukraine (CERT-UA) collaborated with the Cybersecurity Center of the Armed Forces of Ukraine to uncover and investigate a spear-phishing campaign directed at the Ukrainian Defense Forces. This campaign, orchestrated by the Vermin hacker group, designated as UAC-0020 by CERT-UA, has been named “SickSync” for easier identification and reference.
The Vermin hackers have been linked to law enforcement agencies in the occupied Luhansk region by Ukrainian authorities. It was revealed by CERT-UA that the server equipment of the Vermin group was hosted at the technical site of a Luhansk cloud hosting provider named vServerCo for an extended period.
Palo Alto’s Unit 42 had previously tracked a similar campaign by the Vermin hackers back in 2018, targeting Ukrainians with phishing lures related to the Ukrainian Ministry of Defense.
The latest attack by the Vermin group, utilizing SPECTR malware, marks their significant activity since March 2022. SPECTR malware, known since at least 2018, was used extensively in the recent campaign aimed at the Ukrainian defense forces.
The attackers exploited the synchronization functionality of legitimate Syncthing software to download stolen documents, files, passwords, and other sensitive information from compromised computers. Syncthing supports peer-to-peer connections, enabling file syncing between devices on a local network or remote devices over the Internet. The Vermin hackers utilized this legitimate software for data exfiltration, similar to the tactic employed by Russian hackers using legitimate remote monitoring software to spy on Ukraine and its allies.
The Vermin hackers initiated the attack through a spear-phishing email containing a password-protected archive file named “turrel.fop.vovchok.rar.” This archive contained a RarSFX archive “turrel.fop.ovchok.sfx.rar.scr” with deceptive contents.
The SPECTR malware deployed in the attack comprises various modules such as SpecMon, Screengrabber, FileGrabber, Usb, Social, and Browsers, designed to steal sensitive information from compromised systems and transfer it to the attacker’s computer using Syncthing’s synchronization functionality.
To prevent potential misuse of Syncthing, CERT-UA recommended monitoring interactions with the Syncthing infrastructure, specifically ” *.syncthing.net” domains. Additionally, users are advised to implement robust email security measures, advanced endpoint protection, network monitoring for unusual peer-to-peer connections, and conduct regular cybersecurity training for employees to recognize and report phishing attempts.
In conclusion, the resurgence of Vermin hackers and their use of sophisticated tactics like SPECTR malware highlight the ongoing cybersecurity challenges faced by Ukraine’s defense forces. Collaborative efforts between cybersecurity experts and law enforcement agencies are essential to detect and mitigate such cyber threats effectively.