Targets Ukraine's Defense Forces using SPECTR malware alongside legitimate SyncThing
June 7, 2024, 9:09 a.m.
Tags
External References
Description
The report describes a cyber attack campaign by the UAC-0020 (Vermin) threat group targeting Ukraine's Defense Forces. The attackers utilized the SPECTR malware in tandem with the legitimate SyncThing software to exfiltrate sensitive data. The malicious payload was delivered via a password-protected archive containing a decoy PDF and an installer that deployed both SyncThing's legitimate components and SPECTR's malicious modules. SPECTR's capabilities included screen capture, file theft, password exfiltration, and the ability to steal data from messaging apps and browsers. The stolen data was covertly synced to the attackers' infrastructure by leveraging SyncThing's P2P functionality.
Date
Published: June 7, 2024, 8:33 a.m.
Created: June 7, 2024, 8:33 a.m.
Modified: June 7, 2024, 9:09 a.m.
Indicators
fbd8883e659d8082fe8e1ee15de12e2b710fd4c92d8d72b2cf34befcdc5be7fb
f8b696ae1011f6c5457eea1e215da81e85aef1b1a62c56dce3606e0512afdbb4
c208408170c429af873849cecc4b7553598ba5a70fce7616e6adca66cfeb8d75
c3ac906b3228c4c9ce3dd0e46b6c5b0bed4dacd61911dc006730a31f90f424c7
db1e53f9b03363d595c9daf1eaafd1d851b5d984af9e4062204f18746b012d37
bf895dca1ea67bf39a6bd87168af8d4fdfd6321d2f2d071295dbd4d25508eb68
bef8cf172fd4535738e3aa06a9c303f93c83a4da0053aba4cbea986729d4620b
bf62d5e034b4ce4fd122ab72fa388ea461fd6e5f317ad3274fe847a526c00282
b4d4e2602cd6c5286be56b71a8659dff380eafd4bf65b61268b5d29a2bd6c52b
b05c65897fc449760fa5867e436205313448007e904e02aa77c0733a21d15bb2
b452b0043533625da67e687c6050e9475d1a83337fa2b64735fc9a248179df10
9b3994f395309b0fb4db23e66d8de822b47cd9d4c9544bc48ed0e0fa082251b0
8cccf28333d822da6b5d851ae4cb188fed6dd27a3046627c7a32850c9d959124
9221c2f936159b8446d329249fb4c0f25be510f447383a0f13336ac7985668a3
87f73bc1762913e46d4dad6464f92d0d3e3c785da4cc30a24460601a3ceed970
892a45e8adc92eb281a8f4cdba824cd69134bcb8378977747998b87c5a7fdec8
806db134f3b9db4a58dd8ff65498d2841f645ef7252857e57c46cd6680edcec7
711100e90de58762aa121a5f4a5fc50f1efc05499f1ee63b6bc1e3d479eb4c69
7198094549e30b8bff6865ce364e48dc324d92f2346dec9b0ce6664921c21888
6a13b98c7dc82ea2a492c0022fd93fa97247912dfa8ad5f015fb4b50e6c05fbb
5ef47edc207e404c57ac83e2b55fb0b7c1687d721f26fc7a5a6e5294b28a2f6f
67571ad65881dd4feb309c22f8e508da40bbf4f573fd97c45265394ac5b06659
4d3c48917973daaf7e31aeab167e4611c60feed29bae25303c0543824bef027c
48adf2450c4ae087c1c4982a2a789d8f1b1e88b8d959fb26db273a76ef8b1888
4c4db56997d9a44cfc5a03f3b401f96d6890a56cd32146c5605f159a97112df9
456732417161a749541bbc4016c9334a01ff3b209c29bc3995f3589dccb80f31
2b6622cc433aff6cb4bc582c7bc3bffc09e0fc6f0e1a97bab17485058bdcf3c9
1cc0257d93b4d1c0b3bb5c923c2997f222d271591addbd2da0da019dbb5fe579
29d9cc9a79750c6c1a3052317fb172b9d76a7044b94cd1da3be00ace748a9878
117078cd63225cfed7cbe4bc4c2ffed6db4d4bd93bf353a87cc10fb05cc0151c
0ad1cf00eed24ab07765d3670d1c8394b3d232f58bf939b69ada9e88c45b4b03
0a43d77c67c0ff31660a19e69cdb26e55b5322cf63b51a97d4de0c4b48f78841
csoc@post.mil.gov.ua
Attack Patterns
SPECTR
UAC-0020 (Vermin)
T1025
T1018
T1567
T1115
T1114
T1555
T1113
T1564
T1082
T1105
T1083
T1036
T1560
T1053
T1112
T1056
T1558
T1003
T1059
Additional Informations
Defense
Government
Ukraine