The Computer Emergency Response Team of Ukraine (CERT-UA) has reported on a new campaign called “SickSync”, launched by the UAC-0020 (WARMAN) hacking group in attacks against the Defense Forces of Ukraine.

The threat group is related to the territory of the Luhansk People’s Republic (LPR), which Russia has almost completely occupied since October 2022. Hacker activities are usually aligned with Russia’s interests.

The attack uses legitimate file synchronization software SyncThing in conjunction with malware called SPECTR.

Varman’s ostensible purpose is to steal sensitive information from military organizations.

Details of the attack

The attack begins with a phishing email sent to the target, containing a password-protected RARSFX archive named “turrel.fop.wolf.rar”.

Emails sent to targets.
Source: CERT-UA

Upon launching the file, it extracts a PDF (“Wowchok.pdf”), an installer (“sync.exe”) and a BAT script (“run_user.bat”). BAT runs sync.exe, which contains the SyncThing and SPECTR malware, along with required libraries.

The contents of the RAR archive
Source: CERT-UA

SyncThing establishes a peer-to-peer connection for data synchronization, which is used to steal documents and account passwords.

The legitimate tool has been replaced with new directory names and default tasks to avoid detection, while the component that displays when the window is activated has been removed.

SPECTR is a modular malware with the following capabilities:

  • SpecMon: Calls PluginLoader.dll to run DLLs containing the “IPlugin” class.
  • Screengrabber: Takes screenshots every 10 seconds when the specified program windows is detected.
  • File Grabber: Uses robocopy.exe to copy from user directories such as Desktop, MyPictures, Downloads, OneDrive, and DropBox.
  • USB: Copies files from removable USB media.
  • social: Steals authentication data from various messengers such as Telegram, Signal, Skype, and Element.
  • Browsers: Steals data from browsers including Firefox, Edge, and Chrome, focusing on authentication data, session information, and browsing history.

Data stolen by SPECTR is copied to subfolders within the ‘%APPDATA%\sync\Serve_Sync\’ directory and later transferred to the threat actor’s system via sync.

Two components deployed by Varman
Source: CERT-UA

CERT-UA Worman is believed to have decided to use a legitimate data exfiltration tool to reduce the chances of security systems identifying network traffic as suspicious.

The Cybersecurity Agency notes that any interaction with SyncThing’s infrastructure (for example, * could compromise a system and trigger an investigation to detect and root the infection. Should be enough.

Source link