Vermin Hackers Resurface to Target Ukrainian Defense Forces with SPECTR Malware
6 June 2024 at 18:59
Vermin Hackersβ Latest Campaign Details
The latest attack that involves the use of SPECTR malware marks Vermin's first significant activity since March 2022. SPECTR, a malware known since at least 2018, was used extensively in the current campaign aimed at the Ukrainian defense forces. The attackers leveraged the legitimate Syncthing softwareβs synchronization functionality to download stolen documents, files, passwords and other sensitive information from compromised computers. Syncthing supports peer-to-peer connections, meaning it can sync files between devices on a local network or between remote devices over the Internet. It is a free and open-source synchronization application that supports Windows, macOS, Linux, Android, Solaris, Darwin and BSD operating systems. The Vermin hackers exploited this legitimate software for data exfiltration, the CERT-UA said. Ukrainian cyber defenders last month reported that Russian hackers were employing a similar tactic of using legitimate remote monitoring software to spy on Ukraine and and its allies.Vermin Attack Vectors
The attack was initiated via a spear-phishing email containing a password-protected archive file named βturrel.fop.vovchok.rar.β This archive contained a RarSFX archive βturrel.fop.ovchok.sfx.rar.scrβ with the following contents:- pdf: a decoy file.
- exe: an EXE installer created using InnoSetup (a free installer for Windows programs), containing both legitimate Syncthing components and SPECTR malware files. The βsync.exeβ file was modified to change directory names, scheduled tasks, and disable user notifications, embedding the SPECTR malware within the SyncThing environment.
- bat: a BAT file for initial execution.
SPECTR Malware Components
SPECTR malware is loaded with the capabilities of a RAT and consists of the following modules:- SpecMon: Calls βPluginLoader.dllβ to execute DLL files containing the "IPlugin" class.
- Screengrabber: Takes screenshots every 10 seconds if certain program windows are detected (e.g., Word, Excel, Signal, WhatsApp).
- FileGrabber: Uses βrobocopy.exeβ to copy files with specific extensions (e.g., .pdf, .docx, .jpg) from user directories to %APPDATA%\sync\Slave_Sync\.
- Usb: Copies files from USB media with certain extensions using βrobocopy.exe.β
- Social: Steals authentication data from messengers like Telegram, Signal, and Skype.
- Browsers: Steals browser data including authentication and session data from Firefox, Edge, Chrome and other Chromium-based browsers.
![Vermin Hackers, Vermin Hackers' Phishing mail and Malware compnents](../themes/icons/grey.gif)