Ukrainian military targeted by information theft campaign
Luhansk-based hackers known as Vermin have renewed a malicious cyber campaign after two years of inactivity.
Ukraine’s computer emergency response team, CERT-UA, has released details of a renewed information theft campaign targeting the country’s armed forces.
According to CERT-UA, the threat actor is a group known as Vermin, or UAC-0020, led by members of “law enforcement agencies” in Luhansk, which is currently occupied by the Russian military.
Vermin, which has not been observed since 2022, is currently deploying a malware strain known as Spectr through a phishing campaign.
An initial email is sent to the victim containing a decoy PDF along with a legitimate but modified version of the SyncThing peer-to-peer synchronization application in a password-protected file. The SyncThing executable is modified to change directory names and not display alerts.
Spectr malware contains several components that steal data from web browsers, messaging apps like Telegram and Signal, and a wide range of file types. It also takes screenshots every 10 seconds if the active window displays content in Word, Excel, Office, and other widely used applications.
CERT-UA has called the campaign SyncThing and considers the entire operation “not that successful.”
The Luhansk People’s Republic was declared in 2014 when pro-Russian forces formed a breakaway state in 2014, which was later annexed by Russia in 2022.