SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

Introduction

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about cyber attacks targeting the country's defense forces through a malware campaign known as SickSync. The attacks involve a malware strain named SPECTR and are attributed to a threat actor tracked as UAC-0020, also known as Vermin, believed to be associated with security agencies of the Luhansk People's Republic (LPR).

Attack Methodology

The attack campaign begins with spear-phishing emails containing a RAR self-extracting archive file containing a decoy PDF file and a trojanized version of the SyncThing application embedding the SPECTR payload. Upon execution, the malware is activated via a batch script, initiating its malicious activities.

Malware Functionality

SPECTR operates as an information stealer, capturing screenshots every 10 seconds, collecting files, extracting data from removable USB drives, and harvesting credentials from various applications and web browsers, including Element, Signal, Skype, and Telegram. Additionally, the malware leverages the legitimate SyncThing software's synchronization functionality to upload stolen data.

Threat Actor Background

The SickSync campaign marks the resurgence of the Vermin group, previously observed orchestrating phishing attacks against state bodies of Ukraine in March 2022. SPECTR has been in use by the threat actor since 2019 and is known for targeting Ukrainian government institutions.

Recent Developments

CERT-UA also highlighted social engineering attacks exploiting the Signal instant messaging app to distribute the DarkCrystal RAT (aka DCRat) remote access trojan, linked to an activity cluster identified as UAC-0200. These attacks underscore a growing trend of cybercriminals utilizing messaging platforms as vectors for malware distribution.

Furthermore, Belarusian state-sponsored hackers, known as GhostWriter, have been implicated in a malware campaign targeting the Ukrainian Ministry of Defense. The campaign involves booby-trapped Microsoft Excel documents that drop a DLL loader file upon execution, potentially leading to the deployment of malicious payloads like Agent Tesla, Cobalt Strike beacons, and njRAT.

Importance of Robust Security Measures

The emergence of the SickSync campaign and associated malware underscores the persistent threat posed by cyber attacks targeting critical infrastructure and government institutions. Implementing robust security measures is essential to mitigate such risks. This includes stolen credentials detection, darknet monitoring services, dark web surveillance, compromised data tracking, digital footprint analysis, brand protection, brand impersonation defense, online risk evaluation, and digital threat scoring. These strategies help in identifying and addressing vulnerabilities, ensuring the security of sensitive information.

Conclusion

The emergence of the SickSync campaign and associated malware underscores the persistent threat posed by cyber attacks targeting critical infrastructure and government institutions. Organizations must remain vigilant and implement robust security measures to defend against evolving threats. Stay informed with reliable cybersecurity sources to protect against such malicious activities.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.