CERT-UA Reports SickSync Campaign: Data Theft Crucial Alert

Wajahat Raja

June 19, 2024 - TuxCare expert team

Recently, the Computer Emergency Response Team of Ukraine cybersecurity (CERT-UA) issued a warning regarding a targeted cyber espionage campaign named SickSync, orchestrated by a group identified as UAC-0020 or Vermin. The CERT-UA SickSync campaign, using a malware called SPECTR, has been specifically aimed at Ukrainian defense forces.

The Origins of SickSync Campaign

SickSync campaign marks the resurgence of Vermin, a threat actor reportedly affiliated with the security agencies of the Luhansk People’s Republic (LPR). LPR, recognized by Russia as a sovereign state, has been involved in previous cyber activities targeting Ukrainian entities.

Modus Operandi: How SickSync Operates

The SPECTR malware, traced back to at least 2019, functions as an information stealer. It infiltrates systems through spear-phishing emails containing a password-protected RAR archive named “turrel.fop.vovchok.rar”. Inside this archive, disguised as a PDF file, lies a trojanized version of the SyncThing application embedded with the SPECTR payload. A batch script within the archive activates this malicious software upon execution.

Exploiting SickSync Data Theft

SPECTR leverages the legitimate SyncThing software’s synchronization capabilities to exfiltrate stolen data from infected computers. This supply chain attack SickSync establishes a peer-to-peer connection, facilitating the transmission of sensitive information including documents, passwords, and other credentials to remote servers controlled by the attackers.

Extensive Data Collection Capabilities

Once installed, SPECTR operates stealthily by capturing screenshots every 10 seconds, harvesting files, extracting data from removable USB drives, and stealing credentials from various applications such as Element, Signal, Skype, and Telegram. These activities enable comprehensive espionage, compromising both personal and organizational security.

Vermin’s Previous Activities and Tools

Vermin, known for its persistent cyber operations against Ukrainian government institutions, has a history dating back to 2015. Initially identified as a .NET SickSync remote access trojan, it has evolved to employ sophisticated tactics, including phishing campaigns and the deployment of malware like SPECTR.

Cyber Attack Detection

CERT-UA has observed a concerning trend where threat actors exploit popular messaging platforms such as Signal to distribute remote access trojans like DarkCrystal RAT. These tactics leverage social engineering to trick users into executing malicious files, highlighting the evolving sophistication of cybersecurity threats targeting Ukraine.

Data Breach Response

In addition to SickSync, recent reports have surfaced regarding another cyber campaign orchestrated by Belarusian state-sponsored hackers dubbed GhostWriter. This campaign utilizes booby-trapped Microsoft Excel documents to infiltrate Ukrainian Ministry of Defense systems, potentially deploying malware like Agent Tesla and Cobalt Strike. Effective malware prevention is essential for maintaining cybersecurity hygiene and protecting sensitive data.

Conclusion

The emergence of SickSync underscores the ongoing cybersecurity challenges faced by Ukraine, particularly from state-sponsored threat actors. As cyber espionage evolves with advanced tactics and targeted methodologies, vigilance and enhanced security measures remain critical.

Organizations must prioritize cybersecurity awareness, robust defense mechanisms, and timely updates to mitigate SickSync attack as well as other risks posed by such sophisticated threats. In summary, SickSync serves as a stark reminder of the persistent cyber threats faced by Ukraine’s defense forces and underscores the critical importance of cybersecurity readiness in protecting sensitive data.

The sources for this piece include articles in The Hacker News and Security Affairs.

Summary