{ "name": "Targets Ukraine's Defense Forces using SPECTR malware alongside legitimate SyncThing", "slug": "targets-ukraines-defense-forces-using-spectr-malware-alongside-legitimate-syncthing", "description": "The report describes a cyber attack campaign by the UAC-0020 (Vermin) threat group targeting Ukraine's Defense Forces. The attackers utilized the SPECTR malware in tandem with the legitimate SyncThing software to exfiltrate sensitive data. The malicious payload was delivered via a password-protected archive containing a decoy PDF and an installer that deployed both SyncThing's legitimate components and SPECTR's malicious modules. SPECTR's capabilities included screen capture, file theft, password exfiltration, and the ability to steal data from messaging apps and browsers. The stolen data was covertly synced to the attackers' infrastructure by leveraging SyncThing's P2P functionality.", "published": "2024-06-07T06:33:27+00:00", "created_at": "2024-06-07T06:33:27+00:00", "modified_at": "2024-06-07T07:09:31+00:00", "created_at_opencti": "2024-06-07T06:33:27+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-07", "defense", "exfiltration", "spectr", "syncthing", "ukraine" ], "related_entities": { "observables": [ { "id": "", "name": "csoc@post.mil.gov.ua" }, { "id": "", "name": "fbd8883e659d8082fe8e1ee15de12e2b710fd4c92d8d72b2cf34befcdc5be7fb" }, { "id": "", "name": "f8b696ae1011f6c5457eea1e215da81e85aef1b1a62c56dce3606e0512afdbb4" }, { "id": "", "name": "c208408170c429af873849cecc4b7553598ba5a70fce7616e6adca66cfeb8d75" }, { "id": "", "name": "c3ac906b3228c4c9ce3dd0e46b6c5b0bed4dacd61911dc006730a31f90f424c7" }, { "id": "", "name": "db1e53f9b03363d595c9daf1eaafd1d851b5d984af9e4062204f18746b012d37" }, { "id": "", "name": "bf895dca1ea67bf39a6bd87168af8d4fdfd6321d2f2d071295dbd4d25508eb68" }, { "id": "", "name": "bef8cf172fd4535738e3aa06a9c303f93c83a4da0053aba4cbea986729d4620b" }, { "id": "", "name": "bf62d5e034b4ce4fd122ab72fa388ea461fd6e5f317ad3274fe847a526c00282" }, { "id": "", "name": "b4d4e2602cd6c5286be56b71a8659dff380eafd4bf65b61268b5d29a2bd6c52b" }, { "id": "", "name": "b05c65897fc449760fa5867e436205313448007e904e02aa77c0733a21d15bb2" }, { "id": "", "name": "b452b0043533625da67e687c6050e9475d1a83337fa2b64735fc9a248179df10" }, { "id": "", "name": "9b3994f395309b0fb4db23e66d8de822b47cd9d4c9544bc48ed0e0fa082251b0" }, { "id": "", "name": "8cccf28333d822da6b5d851ae4cb188fed6dd27a3046627c7a32850c9d959124" }, { "id": "", "name": "9221c2f936159b8446d329249fb4c0f25be510f447383a0f13336ac7985668a3" }, { "id": "", "name": "87f73bc1762913e46d4dad6464f92d0d3e3c785da4cc30a24460601a3ceed970" }, { "id": "", "name": "892a45e8adc92eb281a8f4cdba824cd69134bcb8378977747998b87c5a7fdec8" }, { "id": "", "name": "806db134f3b9db4a58dd8ff65498d2841f645ef7252857e57c46cd6680edcec7" }, { "id": "", "name": "711100e90de58762aa121a5f4a5fc50f1efc05499f1ee63b6bc1e3d479eb4c69" }, { "id": "", "name": "7198094549e30b8bff6865ce364e48dc324d92f2346dec9b0ce6664921c21888" }, { "id": "", "name": "6a13b98c7dc82ea2a492c0022fd93fa97247912dfa8ad5f015fb4b50e6c05fbb" }, { "id": "", "name": "5ef47edc207e404c57ac83e2b55fb0b7c1687d721f26fc7a5a6e5294b28a2f6f" }, { "id": "", "name": "67571ad65881dd4feb309c22f8e508da40bbf4f573fd97c45265394ac5b06659" }, { "id": "", "name": "4d3c48917973daaf7e31aeab167e4611c60feed29bae25303c0543824bef027c" }, { "id": "", "name": "48adf2450c4ae087c1c4982a2a789d8f1b1e88b8d959fb26db273a76ef8b1888" }, { "id": "", "name": "4c4db56997d9a44cfc5a03f3b401f96d6890a56cd32146c5605f159a97112df9" }, { "id": "", "name": "456732417161a749541bbc4016c9334a01ff3b209c29bc3995f3589dccb80f31" }, { "id": "", "name": "2b6622cc433aff6cb4bc582c7bc3bffc09e0fc6f0e1a97bab17485058bdcf3c9" }, { "id": "", "name": "1cc0257d93b4d1c0b3bb5c923c2997f222d271591addbd2da0da019dbb5fe579" }, { "id": "", "name": "29d9cc9a79750c6c1a3052317fb172b9d76a7044b94cd1da3be00ace748a9878" }, { "id": "", "name": "117078cd63225cfed7cbe4bc4c2ffed6db4d4bd93bf353a87cc10fb05cc0151c" }, { "id": "", "name": "0ad1cf00eed24ab07765d3670d1c8394b3d232f58bf939b69ada9e88c45b4b03" }, { "id": "", "name": "0a43d77c67c0ff31660a19e69cdb26e55b5322cf63b51a97d4de0c4b48f78841" } ], "malware": [ { "id": "legacy:malware:32777eefa86a7bce", "name": "SPECTR", "slug": "spectr" } ], "intrusion_sets": [ { "id": "f34a4a87-2c35-4a8b-b7cb-987521ac4be4", "name": "UAC-0020 (Vermin)", "slug": "uac-0020-vermin" } ], "attack_patterns": [ { "id": "0cad3bc9-06c8-4bb1-b85b-cdcb64605ead", "name": "T1025" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "f4a450ef-8297-42e5-9e47-01162138baa2", "name": "T1115" }, { "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc", "name": "T1114" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "b9a3b4f8-b9c0-4ed8-bf5e-bf759b9804d6", "name": "T1564" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "31d29704-da1c-47ea-b93f-76d368813bdf", "name": "T1560" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "5d4ae945-eb29-4b3b-aa69-bc32dc769878", "name": "T1558" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Ukraine" }, { "id": "", "name": "Defense" }, { "id": "", "name": "Government" } ] }, "external_refs": [ "https://cert.gov.ua/article/6279600", "https://otx.alienvault.com/pulse/6662c5d7e8df8c4efb12935d" ] }