The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a new alert regarding a phishing campaign linked to the threat actor UAC-0020, commonly known as Vermin. The campaign leverages emotionally charged content, specifically photos of alleged prisoners of war (PoWs) from the Kursk region, to entice recipients into clicking a malicious link. The link directs victims to a ZIP archive that contains a Microsoft Compiled HTML Help (CHM) file. Once opened, the file executes a JavaScript code that triggers an obfuscated PowerShell script, initiating the malware infection process.
The attack installs two key components: the well-known spyware SPECTR and a newly identified malware strain called FIRMACHAGENT. SPECTR, which has been associated with Vermin since 2019, is a sophisticated tool designed to steal a wide range of sensitive information, including files, screenshots, credentials, and data from messaging apps such as Element, Signal, Skype, and Telegram. FIRMACHAGENT, on the other hand, plays a supporting role by retrieving the stolen data and transmitting it to a remote server controlled by the attackers.
Vermin’s activities have raised significant concerns due to its suspected links to the security agencies of the Luhansk People’s Republic (LPR). The group has been involved in numerous cyberattacks targeting Ukrainian entities, particularly in the context of the ongoing conflict in the region. Earlier in June 2024, CERT-UA detailed another Vermin-led campaign known as SickSync, which also deployed SPECTR to target Ukrainian defense forces.
The latest phishing campaign underscores the continued evolution and persistence of Vermin’s tactics, techniques, and procedures (TTPs). CERT-UA’s alert serves as a critical reminder for organizations and individuals to remain vigilant, particularly when encountering unsolicited emails with sensitive or provocative content. Enhanced security measures and awareness are crucial in defending against such sophisticated cyber threats.
Reference:
