Ukrainian cyber defenders uncovered the resurgence of Vermin hackers after a two-year hiatus. The hacker group is targeting the country’s defense forces with spear-phishing emails that infect their systems with SPECTR malware, which acts as a remote access trojan (RAT). The Computer Emergency Response Team of Ukraine (CERT-UA) in collaboration with the Cybersecurity Center of the Armed Forces of Ukraine detected and investigated a spear-phishing campaign targeting the Ukrainian Defense Forces. The campaign was orchestrated by the Vermin hacker group, which CERT-UA tracks as UAC-0020. This cyber campaign, marking the return of the Vermin group after a prolonged absence, has been named “SickSync” for easier identification and reference. Ukraine attributes the Vermin hackers to the law enforcement agencies in the occupied Luhansk region. CERT-UA has earlier claimed that the server equipment of the Vermin group has been hosted at the technical site of a Luhansk cloud hosting provider vServerCo (AS58271) for many years. Palo Alto’s Unit 42 had tracked a similar campaign of the Vermin hackers in 2018 targeting Ukrainians with phishing lures related to the Ukrainian Ministry of Defense.

Vermin Hackers’ Latest Campaign Details

The latest attack that involves the use of SPECTR malware marks Vermin's first significant activity since March 2022. SPECTR, a malware known since at least 2018, was used extensively in the current campaign aimed at the Ukrainian defense forces. The attackers leveraged the legitimate Syncthing software’s synchronization functionality to download stolen documents, files, passwords and other sensitive information from compromised computers. Syncthing supports peer-to-peer connections, meaning it can sync files between devices on a local network or between remote devices over the Internet. It is a free and open-source synchronization application that supports Windows, macOS, Linux, Android, Solaris, Darwin and BSD operating systems. The Vermin hackers exploited this legitimate software for data exfiltration, the CERT-UA said. Ukrainian cyber defenders last month reported that Russian hackers were employing a similar tactic of using legitimate remote monitoring software to spy on Ukraine and and its allies.

Vermin Attack Vectors

The attack was initiated via a spear-phishing email containing a password-protected archive file named “turrel.fop.vovchok.rar.” This archive contained a RarSFX archive “turrel.fop.ovchok.sfx.rar.scr” with the following contents:

• pdf: a decoy file.
• exe: an EXE installer created using InnoSetup (a free installer for Windows programs), containing both legitimate Syncthing components and SPECTR malware files. The “sync.exe” file was modified to change directory names, scheduled tasks, and disable user notifications, embedding the SPECTR malware within the SyncThing environment.
• bat: a BAT file for initial execution.

RarSFX is a temporary installation files folder created by Bitdefender. It is used as Self Extracting Archives unpack site.

SPECTR Malware Components

SPECTR malware is loaded with the capabilities of a RAT and consists of the following modules:

1. SpecMon: Calls “PluginLoader.dll” to execute DLL files containing the "IPlugin" class.
2. Screengrabber: Takes screenshots every 10 seconds if certain program windows are detected (e.g., Word, Excel, Signal, WhatsApp).
3. FileGrabber: Uses “robocopy.exe” to copy files with specific extensions (e.g., .pdf, .docx, .jpg) from user directories to %APPDATA%\sync\Slave_Sync\.
4. Usb: Copies files from USB media with certain extensions using “robocopy.exe.”
5. Social: Steals authentication data from messengers like Telegram, Signal, and Skype.
6. Browsers: Steals browser data including authentication and session data from Firefox, Edge, Chrome and other Chromium-based browsers.

All this stolen information is stored in “%APPDATA%\sync\Slave_Sync\” location and transferred to the attacker’s computer using Syncthing's synchronization functionality. [caption id="attachment_75531" align="alignnone" width="1024"] Example of an email and the contents of a malicious installer of Vermin hackers (Source: CERT-UA)[/caption]

Network IoCs and Preventive Measures

To identify potential misuse of Syncthing, the CERT-UA recommended monitoring interactions with the Syncthing infrastructure, specifically “*.syncthing.net” domains. Users are also requested to implement the following preventive measures for enhanced protection against Vermin hackers: Email Security: Implement robust email filtering and phishing protection to prevent malicious attachments from reaching end users. Endpoint Protection: Utilize advanced endpoint detection and response (EDR) solutions to detect and block malware execution. Network Monitoring: Monitor network traffic for unusual peer-to-peer connections, particularly involving Syncthing infrastructure. User Awareness: Conduct regular cybersecurity training for employees to recognize and report phishing attempts.