The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a critical alert regarding a resurgence of cyber attacks specifically targeting the country’s defense forces. These attacks employ a malware known as SPECTR as part of a broader espionage campaign identified as SickSync. The agency has linked these malicious activities to a threat actor designated UAC-0020, also referred to as Vermin, which is believed to have connections with the security apparatus of the Luhansk People’s Republic (LPR). Notably, the LPR was recognized as a sovereign entity by Russia shortly before its military incursion into Ukraine in February 2022.
The modus operandi of these attacks begins with spear-phishing emails that include a RAR self-extracting archive file. This archive harbors a deceptive PDF file along with a trojanized version of the SyncThing application, which embeds the SPECTR payload. A batch script facilitates the activation of the malware by executing the application.
Once deployed, SPECTR functions as an information stealer, capable of capturing screenshots every ten seconds, rummaging through files, accessing data from external USB drives, and exfiltrating credentials from web browsers and applications, including widely used platforms such as Element, Signal, Skype, and Telegram. To transmit the stolen data back to attackers, the malware exploits the legitimate synchronization features of SyncThing, reinforcing the connection between compromised systems.
SickSync represents a notable return of the Vermin group, which had remained dormant after previously orchestrating phishing campaigns aimed at Ukrainian state entities in March 2022 to deploy SPECTR. This malware variant has been linked to the group since 2019 and has a history of targeting Ukrainian governmental institutions, notably through a .NET remote access trojan that has been in operation since at least 2015.
Moreover, the resurgence of these attacks comes amidst CERT-UA’s concurrent warnings about social engineering threats utilizing the Signal messaging application to disseminate a remote access Trojan known as DarkCrystal RAT, associated with the activity cluster named UAC-0200. This trend underscores a growing intensity in cyber threats that leverage instant messaging platforms and compromised legitimate accounts, highlighting a strategic shift in attack vectors.
Furthermore, the disclosure coincides with a broader campaign attributed to Belarusian state-sponsored hackers, dubbed GhostWriter (also known as UAC-0057 and UNC1151), which utilizes tainted Microsoft Excel documents to target the Ukrainian Ministry of Defense. Once executed, these documents employ a VBA Macro that drops a Link (LNK) file and a DLL loader, which could lead to additional malicious payloads such as Agent Tesla, Cobalt Strike beacons, and njRAT.
In light of these incidents, organizations must adopt a proactive stance in bolstering cybersecurity measures, leveraging frameworks such as the MITRE ATT&CK Matrix to better understand potential adversary tactics—including initial access and persistence techniques—that may be employed in such sophisticated cyber assault scenarios. By fostering a culture of awareness and preparedness, businesses can safeguard against the increasing threat landscape.
The ongoing developments serve as a stark reminder of the persistent risks faced by organizations, particularly those linked to government sectors in conflict zones, emphasizing the critical need for robust cybersecurity strategies to counteract these evolving threats.
