The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting defense forces in the country with a malware called SPECTR as part of an espionage campaign dubbed SickSync.
The agency attributed the attacks to a threat actor it tracks under the moniker UAC-0020, which is also called Vermin and is assessed to be associated with security agencies of the Luhansk People’s Republic (LPR). LPR was declared a sovereign state by Russia days prior to its military invasion of Ukraine in February 2022.
Attack chains commence with spear-phishing emails containing a RAR self-extracting archive file containing a decoy PDF file, a trojanized version of the SyncThing application that incorporates the SPECTR payload, and a batch script that activates the infection by launching the executable.
SPECTR serves as an information stealer by grabbing screenshots every 10 seconds, harvesting files, gathering data from removable USB drives, and stealing credentials and from web browsers and applications like Element, Signal, Skype, and Telegram.
“At the same time, to upload stolen documents, files, passwords and other information from the computer, the standard synchronization functionality of the legitimate SyncThing software was used, which, among other things, supports the establishment of a peer-to-peer connection between computers,” CERT-UA said.
SickSync marks the return of the Vermin group after a prolonged absence, which was previously observed orchestrating phishing campaigns aimed at state bodies of Ukraine to deploy the SPECTR malware in March 2022. SPECTR is known to have been used by the actor since 2019.
Vermin is also the name assigned to a .NET remote access trojan that has been used to target various Ukrainian government institutions for nearly eight years. It was first publicly reported by Palo Alto Networks Unit 42 in January 2018, with a subsequent analysis from ESET tracing the attacker activity back to October 2015.
The disclosure comes as CERT-UA warned of social engineering attacks leveraging the Signal instant messaging app as a distribution vector to deliver a remote access trojan called DarkCrystal RAT (aka DCRat). They have been linked to an activity cluster codenamed UAC-0200.
“Once again, we note a trend towards an increase in the intensity of cyberattacks using messengers and legitimate compromised accounts,” the agency said. “At the same time, one way or another, the victim is encouraged to open the file on the computer.”
It also follows the discovery of a malware campaign conducted by Belarusian state-sponsored hackers known as GhostWriter (aka UAC-0057 and UNC1151) that employs booby-trapped Microsoft Excel documents in attacks aimed at the Ukrainian Ministry of Defense.
“Upon execution of the Excel document, which contains an embedded VBA Macro, it drops an LNK and a DLL loader file,” Broadcom-owned Symantec said. “Subsequently, running the LNK file initiates the DLL loader, potentially leading to a suspected final payload including AgentTesla, Cobalt Strike beacons, and njRAT.”