Targets Ukraine's Defense Forces using SPECTR malware alongside legitimate SyncThing

June 7, 2024, 9:09 a.m.

Description

The report describes a cyber attack campaign by the UAC-0020 (Vermin) threat group targeting Ukraine's Defense Forces. The attackers utilized the SPECTR malware in tandem with the legitimate SyncThing software to exfiltrate sensitive data. The malicious payload was delivered via a password-protected archive containing a decoy PDF and an installer that deployed both SyncThing's legitimate components and SPECTR's malicious modules. SPECTR's capabilities included screen capture, file theft, password exfiltration, and the ability to steal data from messaging apps and browsers. The stolen data was covertly synced to the attackers' infrastructure by leveraging SyncThing's P2P functionality.

Date

Published: June 7, 2024, 8:33 a.m.

Created: June 7, 2024, 8:33 a.m.

Modified: June 7, 2024, 9:09 a.m.

Indicators

fbd8883e659d8082fe8e1ee15de12e2b710fd4c92d8d72b2cf34befcdc5be7fb

f8b696ae1011f6c5457eea1e215da81e85aef1b1a62c56dce3606e0512afdbb4

c208408170c429af873849cecc4b7553598ba5a70fce7616e6adca66cfeb8d75

c3ac906b3228c4c9ce3dd0e46b6c5b0bed4dacd61911dc006730a31f90f424c7

db1e53f9b03363d595c9daf1eaafd1d851b5d984af9e4062204f18746b012d37

bf895dca1ea67bf39a6bd87168af8d4fdfd6321d2f2d071295dbd4d25508eb68

bef8cf172fd4535738e3aa06a9c303f93c83a4da0053aba4cbea986729d4620b

bf62d5e034b4ce4fd122ab72fa388ea461fd6e5f317ad3274fe847a526c00282

b4d4e2602cd6c5286be56b71a8659dff380eafd4bf65b61268b5d29a2bd6c52b

b05c65897fc449760fa5867e436205313448007e904e02aa77c0733a21d15bb2

b452b0043533625da67e687c6050e9475d1a83337fa2b64735fc9a248179df10

9b3994f395309b0fb4db23e66d8de822b47cd9d4c9544bc48ed0e0fa082251b0

8cccf28333d822da6b5d851ae4cb188fed6dd27a3046627c7a32850c9d959124

9221c2f936159b8446d329249fb4c0f25be510f447383a0f13336ac7985668a3

87f73bc1762913e46d4dad6464f92d0d3e3c785da4cc30a24460601a3ceed970

892a45e8adc92eb281a8f4cdba824cd69134bcb8378977747998b87c5a7fdec8

806db134f3b9db4a58dd8ff65498d2841f645ef7252857e57c46cd6680edcec7

711100e90de58762aa121a5f4a5fc50f1efc05499f1ee63b6bc1e3d479eb4c69

7198094549e30b8bff6865ce364e48dc324d92f2346dec9b0ce6664921c21888

6a13b98c7dc82ea2a492c0022fd93fa97247912dfa8ad5f015fb4b50e6c05fbb

5ef47edc207e404c57ac83e2b55fb0b7c1687d721f26fc7a5a6e5294b28a2f6f

67571ad65881dd4feb309c22f8e508da40bbf4f573fd97c45265394ac5b06659

4d3c48917973daaf7e31aeab167e4611c60feed29bae25303c0543824bef027c

48adf2450c4ae087c1c4982a2a789d8f1b1e88b8d959fb26db273a76ef8b1888

4c4db56997d9a44cfc5a03f3b401f96d6890a56cd32146c5605f159a97112df9

456732417161a749541bbc4016c9334a01ff3b209c29bc3995f3589dccb80f31

2b6622cc433aff6cb4bc582c7bc3bffc09e0fc6f0e1a97bab17485058bdcf3c9

1cc0257d93b4d1c0b3bb5c923c2997f222d271591addbd2da0da019dbb5fe579

29d9cc9a79750c6c1a3052317fb172b9d76a7044b94cd1da3be00ace748a9878

117078cd63225cfed7cbe4bc4c2ffed6db4d4bd93bf353a87cc10fb05cc0151c

0ad1cf00eed24ab07765d3670d1c8394b3d232f58bf939b69ada9e88c45b4b03

0a43d77c67c0ff31660a19e69cdb26e55b5322cf63b51a97d4de0c4b48f78841

csoc@post.mil.gov.ua

Attack Patterns

SPECTR

UAC-0020 (Vermin)

T1025

T1018

T1567

T1115

T1114

T1555

T1113

T1564

T1082

T1105

T1083

T1036

T1560

T1053

T1112

T1056

T1558

T1003

T1059

Additional Informations

Defense

Government

Ukraine