Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Renewed Info Stealer Campaign Targets Ukrainian Military
CERT-UA Says Threat Actor 'Vermin' Used Syncthing ApplicationUkrainian cyber defenders said Russian intelligence hackers operating from the occupied Donbas city of Luhansk targeted military email inboxes with an info stealer.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The Computer Emergency Response Team of Ukraine on Thursday said a group it tracks as UAC-0020 - also known as "Vermin" - deployed a malware strain dubbed "Spectr" as part of a spear-phishing campaign.
The phishing email appears to contain password-protected information about a gun turret. An attachment contains an archive folder with three files: a decoy PDF, an executable file and a batch file. The executable contains Spectr malware bundled with a modified version of Syncthing, a legitimate open-source, peer-to-peer synchronization application. The hackers made modifications that included disabling the user notifications of Syncthing.
The malware steals documents, files, passwords and other information - including data from the victims' Telegram, Signal and Skype accounts - from the infected device while operating in the background.
The info stealer copies the exfiltrated data into a subfolder and transfers it using the file-sharing app.
CERT-UA called the campaign "no-so-successful," dubbing it "SIckSync." Ukraine said Vermin is an operation of Luhansk law enforcement agencies. That region of Ukraine operated with the support of Russian-backed paramilitaries as a breakaway state from 2014 until 2022, when Russia putatively annexed it.
Vermin's last known operation was in March 2022, when Ukrainian cyber defenders said they detected a similar campaign deploying Spectr malware.
The Russia-Ukraine war is now in its third year. Russia in May opened a new battlefront in the Kharkiv region, and the Institute for the Study of War said on Wednesday that "Russian forces are attempting to make tactically and operationally significant gains" before renewed U.S. military assistance arrives at the front line at scale. U.S. President Joe Biden in May approved Ukrainian use of artillery to strike Russian forces in Russia. The New York Times reported Wednesday that a Ukrainian member of parliament said armed forces used that permission to destroy Russian missile launchers in the Belgorod region using an American High Mobility Artillery Rocket System.