SickSync's SPECTR Malware Campaign on Ukraine's Forces

The Ukrainian institution, the Computer Emergency Response Team of Ukraine (CERT-UA), recently released a high-level alert of a number of cyber attacks against the defense forces in the country. The attacks using the SPECTR malware, which is a type of malware, are carried out with the intent to spy on targets in a complex espionage campaign known as SickSync. These malice acts have been associated with the threat actor termed UAC-0020, commonly called Vermin. It is presumed that this group has connections to the Luhansk People’s Republic Security Forces.

Analyzing the key points of the attack was interesting, especially in relation to the approaches that could have been taken to address the problem.

  • Date of Disclosure: Below is schedule of event.
  • Event : Presidency of the Council of the European Union Country:
  • Poland Date: 07. 06. 2024
  • Threat Actor: UAC-0020 (Vermin)
  • Target: Ukraine Defense Forces
  • Method: Spear-phishing emails with a malicious link or containing an attached RAR self-extracting archive.
  • Payload: a lone PDF file that is a trojan-C, the fake SyncThing application containing the SPECTR malware, and a batch file to execute the payload.

Detailed Attack Chain

Spear-phishing e-mails containing a RAR self-extracting archive file form the initial step in the attack chain. This file contains a PDF file, which is actually an empty file to mislead the target; a hack virus target is the SyncThing application; and the third file is a batch file. Indeed, after starting the executable, the SPECTR malware is initiated.

SPECTR is still an information stealer, which, in the process of its work, captures screenshots with a frequency of 10 seconds, copies files, and retrieves data from removable media devices. It also harvests credentials from Web browsers as well as applications including Element, Signal, Skype, and Telegram. An example is MOPPY syndrome, which abuses the legitimate function of the SyncThing software to upload pilfered documents and data while creating P2P relationships between affected computers.

Historical Context

These attacks are orchestrated by Vermin, whom we have seen in the past attacking Ukrainian government establishments. Their activity was peculiar to a group of SPECTR malware that was used in the phishing attacks on state bodies in March 2022. This group came to light in 2015, with its various campaigns leveraging different subtypes of malware.

Recent Developments

CERT-UA has also outlined other essential cyber threats: One of the threats is that Sodinok Locker Cybercriminals are using the CI/CD pipeline to attack IT environments with the help of social engineering attacks, and the Pirate Panda Infostealer trojan is using the Signal instant messaging app to deliver the DarkCrystal RAT (DCRat). This activity has been attributed to another threat group, namely, UAC-0200.

Also, the Belarusian state-sponsored cyberspies, widely known as GhostWriter (UAC-0057 and UNC1151), have recently employed malicious Microsoft Excel files in malware attacks. As indicated by the terminology used in the written documents, these documents have macro scripts written in Visual Basic for Applications that download LNK and DLL loader files to deliver final payloads, including Agent Tesla, Cobalt Strike beacons, and njRAT.

Impact and Mitigation

These cyberattacks are extremely hazardous to the cybersecurity of the Ukrainian defense forces, as main data might be jeopardized, as well as the forces’ coherence and security. CERT-UA and other cybersecurity agencies are already studying these risks and taking the appropriate measures. Cyber threats themselves have grown smart and complex, which makes the agency call for better cyberspace defense and cooperation between different nations.

Conclusion

The recent SPECTR malware attacks on the Ukrainian defense forces demonstrate yet another type of threat that remains latent and continuously evolves with the malicious intent of targeting nations across the globe. There is a need for constant monitoring, utilizing sophisticated protection tools, and following the trends in the cyber world, as well as the cooperation of countries, in order to prevent and safeguard crucial structures and interests of the states.