June 7, 2024 at 03:54AM
Ukraine’s CERT-UA warns of cyber attacks targeting defense forces with SPECTR malware, part of espionage campaign SickSync. Attacks attributed to UAC-0020 (Vermin), associated with Luhansk People’s Republic. SPECTR steals information by grabbing screenshots, harvesting files, and stealing credentials. Vermin group observed previously orchestrating phishing campaigns using SPECTR. CERT-UA also warned of social engineering attacks using Signal app.
After reviewing the meeting notes, it is clear that the Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about several cyber attacks targeting defense forces in the country. The attacks involve a malware called SPECTR, part of an espionage campaign named SickSync, attributed to a threat actor UAC-0020, also known as Vermin and associated with security agencies of the Luhansk People’s Republic (LPR).
The attack chains begin with spear-phishing emails containing a trojanized version of the SyncThing application that includes the SPECTR payload. SPECTR serves as an information stealer, grabbing screenshots, harvesting files, gathering data from USB drives, and stealing credentials and information from web browsers and applications like Element, Signal, Skype, and Telegram. The malware was also observed using the legitimate SyncThing software to establish peer-to-peer connections between computers.
Additionally, there are warnings of social engineering attacks using the Signal instant messaging app to distribute a remote access trojan called DarkCrystal RAT, linked to an activity cluster named UAC-0200.
Furthermore, there is mention of a separate malware campaign conducted by Belarusian state-sponsored hackers known as GhostWriter, targeting the Ukrainian Ministry of Defense with booby-trapped Microsoft Excel documents.
These meeting notes indicate a concerning escalation in cyber attacks targeting Ukraine’s defense forces and government institutions, involving complex malware and social engineering tactics.