Targets Ukraine's Defense Forces using SPECTR malware alongside legitimate SyncThing

June 7, 2024, 9:09 a.m.

Description

The report describes a cyber attack campaign by the UAC-0020 (Vermin) threat group targeting Ukraine's Defense Forces. The attackers utilized the SPECTR malware in tandem with the legitimate SyncThing software to exfiltrate sensitive data. The malicious payload was delivered via a password-protected archive containing a decoy PDF and an installer that deployed both SyncThing's legitimate components and SPECTR's malicious modules. SPECTR's capabilities included screen capture, file theft, password exfiltration, and the ability to steal data from messaging apps and browsers. The stolen data was covertly synced to the attackers' infrastructure by leveraging SyncThing's P2P functionality.

External References

https://cert.gov.ua/article/6279600
https://otx.alienvault.com/pulse/6662c5d7e8df8c4efb12935d
Tags
ukraine
exfiltration
defense
2024-06-07
spectr
syncthing

Date

  • Created: June 7, 2024, 8:33 a.m.
  • Published: June 7, 2024, 8:33 a.m.
  • Modified: June 7, 2024, 9:09 a.m.

Indicators

  • fbd8883e659d8082fe8e1ee15de12e2b710fd4c92d8d72b2cf34befcdc5be7fb
  • f8b696ae1011f6c5457eea1e215da81e85aef1b1a62c56dce3606e0512afdbb4
  • c208408170c429af873849cecc4b7553598ba5a70fce7616e6adca66cfeb8d75
  • c3ac906b3228c4c9ce3dd0e46b6c5b0bed4dacd61911dc006730a31f90f424c7
  • db1e53f9b03363d595c9daf1eaafd1d851b5d984af9e4062204f18746b012d37
  • bf895dca1ea67bf39a6bd87168af8d4fdfd6321d2f2d071295dbd4d25508eb68
  • bef8cf172fd4535738e3aa06a9c303f93c83a4da0053aba4cbea986729d4620b
  • bf62d5e034b4ce4fd122ab72fa388ea461fd6e5f317ad3274fe847a526c00282
  • b4d4e2602cd6c5286be56b71a8659dff380eafd4bf65b61268b5d29a2bd6c52b
  • b05c65897fc449760fa5867e436205313448007e904e02aa77c0733a21d15bb2
  • b452b0043533625da67e687c6050e9475d1a83337fa2b64735fc9a248179df10
  • 9b3994f395309b0fb4db23e66d8de822b47cd9d4c9544bc48ed0e0fa082251b0
  • 8cccf28333d822da6b5d851ae4cb188fed6dd27a3046627c7a32850c9d959124
  • 9221c2f936159b8446d329249fb4c0f25be510f447383a0f13336ac7985668a3
  • 87f73bc1762913e46d4dad6464f92d0d3e3c785da4cc30a24460601a3ceed970
  • 892a45e8adc92eb281a8f4cdba824cd69134bcb8378977747998b87c5a7fdec8
  • 806db134f3b9db4a58dd8ff65498d2841f645ef7252857e57c46cd6680edcec7
  • 711100e90de58762aa121a5f4a5fc50f1efc05499f1ee63b6bc1e3d479eb4c69
  • 7198094549e30b8bff6865ce364e48dc324d92f2346dec9b0ce6664921c21888
  • 6a13b98c7dc82ea2a492c0022fd93fa97247912dfa8ad5f015fb4b50e6c05fbb
  • 5ef47edc207e404c57ac83e2b55fb0b7c1687d721f26fc7a5a6e5294b28a2f6f
  • 67571ad65881dd4feb309c22f8e508da40bbf4f573fd97c45265394ac5b06659
  • 4d3c48917973daaf7e31aeab167e4611c60feed29bae25303c0543824bef027c
  • 48adf2450c4ae087c1c4982a2a789d8f1b1e88b8d959fb26db273a76ef8b1888
  • 4c4db56997d9a44cfc5a03f3b401f96d6890a56cd32146c5605f159a97112df9
  • 456732417161a749541bbc4016c9334a01ff3b209c29bc3995f3589dccb80f31
  • 2b6622cc433aff6cb4bc582c7bc3bffc09e0fc6f0e1a97bab17485058bdcf3c9
  • 1cc0257d93b4d1c0b3bb5c923c2997f222d271591addbd2da0da019dbb5fe579
  • 29d9cc9a79750c6c1a3052317fb172b9d76a7044b94cd1da3be00ace748a9878
  • 117078cd63225cfed7cbe4bc4c2ffed6db4d4bd93bf353a87cc10fb05cc0151c
  • 0ad1cf00eed24ab07765d3670d1c8394b3d232f58bf939b69ada9e88c45b4b03
  • 0a43d77c67c0ff31660a19e69cdb26e55b5322cf63b51a97d4de0c4b48f78841
  • csoc@post.mil.gov.ua
Download all indicators here!

Attack Patterns

  • SPECTR
  • UAC-0020 (Vermin)

Additional Informations

  • Defense
  • Government
  • Ukraine