June 7, 2024 at 03:36AM
The Computer Emergency Response Team of Ukraine (CERT-UA) warns of the “SickSync” campaign by UAC-0020 (Vermin), a hacker group associated with the Russian-occupied Luhansk region. The attack uses SyncThing and SPECTR malware to steal military data. Vermin modified SyncThing and used SPECTR to exfiltrate data, posing a serious security threat. Source: CERT-UA.
Key takeaways from the meeting notes:
– The “SickSync” campaign was reported by the Computer Emergency Response Team of Ukraine (CERT-UA), involving the UAC-0020 (Vermin) hacking group attacking the Ukrainian defense forces.
– The threat group, linked to the Luhansk People’s Republic (LPR) region, has activities aligning with Russia’s interests.
– The attack combines legitimate file-syncing software, SyncThing, with a malware called SPECTR, aiming to steal sensitive information from military organizations.
– The attack starts with a phishing email containing a password-protected RARSFX archive named “turrel.fop.wolf.rar.”
– The RAR archive contains a PDF (“Wowchok.pdf”), an installer (“sync.exe”), and a BAT script (“run_user.bat”), which executes sync.exe with SyncThing and SPECTR malware.
– SyncThing establishes a peer-to-peer connection for data synchronization, used for stealing documents and account passwords.
– SPECTR is capable of various malicious activities, including retrieving files and stealing data from browsers and messaging platforms.
– Data stolen by SPECTR is copied to specific subfolders and transferred through syncing to the threat actor’s system.
– CERT-UA advises that any interaction with SyncThing’s infrastructure should prompt an investigation to detect and remove the infection.
These takeaways offer a clear overview of the “SickSync” campaign and the methods employed by the UAC-0020 (Vermin) hacking group, as reported by CERT-UA.