SickSync Malware Campaign

Overview

On June 6, 2024, a new and sophisticated cyber threat emerged against the Armed Forces of Ukraine, identified as the “SickSync” campaign. This operation, attributed to the Vermin hacking group—also known as UAC-0020—represents a significant escalation in cyber espionage tactics, showcasing advanced methods and persistent efforts by adversaries. The SickSync campaign highlights the evolving nature of cyber threats and the need for heightened cybersecurity vigilance.

The SickSync campaign involves the use of the SPECTR malware, a persistent component of the Vermin group’s toolkit since 2019. This malware is now being deployed in conjunction with SyncThing, a legitimate peer-to-peer synchronization utility, to covertly exfiltrate sensitive data from targeted military systems. By leveraging SyncThing’s legitimate functionality, the attackers blend their malicious activities with normal operations, complicating detection efforts and increasing the campaign’s effectiveness.

The attack begins with a well-crafted phishing email containing a password-protected archive. This archive includes another layer of obfuscation through a RARSFX archive, which houses a decoy file alongside the malicious components: an executable file named “sync.exe” and a BAT file designed for initial execution. The “sync.exe” file merges legitimate SyncThing components with SPECTR malware, allowing the attackers to capture screenshots, steal files, and conduct data exfiltration operations. SyncThing’s peer-to-peer capabilities are misused to transfer stolen data to the attackers, illustrating a clever exploitation of a legitimate tool for nefarious purposes.

Targets

Public Administration

How they operate

The attack begins with a seemingly innocuous phishing email, which contains a password-protected archive attachment. This archive houses a secondary RARSFX archive with a decoy file labeled “Wowchok.pdf” and an executable file named “sync.exe.” The executable is crafted using the InnoSetup installer, and it is accompanied by a BAT file (“run_user.bat”) intended for initial execution. Once the user interacts with the malicious attachment, the “sync.exe” file is triggered. This file contains both legitimate SyncThing components and malicious SPECTR malware.

SyncThing, a tool designed for peer-to-peer file synchronization, is subverted in this attack. The malware modifies SyncThing’s legitimate functionality to serve its nefarious goals. By embedding harmful SPECTR components within the SyncThing software, the attackers leverage the utility’s synchronization capabilities to exfiltrate stolen data. Key SPECTR modules include SpecMon, which executes DLL files, and a suite of tools for capturing screenshots, collecting files from directories and USB drives, and stealing data from various messengers and web browsers. The stolen data is saved in a specific directory (%APPDATA%\sync\Slave_Sync) and then transferred to the attackers via SyncThing’s synchronization features.

The operation’s design reflects a high degree of sophistication. The attackers utilize a combination of legitimate software and advanced malware techniques to circumvent traditional security measures. The use of SyncThing for data exfiltration is particularly notable, as it disguises malicious activities within the framework of a commonly used application, thereby evading detection.

MITRE Tactics and Techniques

Initial Access

Spearphishing Attachment (T1566.001): The attackers use a phishing email with a password-protected archive to deliver the malware.
Execution from RAR Archive [WinRAR] (via process_creation): The archive includes an executable that is run to execute the malware.

Execution

Command and Scripting Interpreter: Visual Basic (T1059.005): The BAT file executed initially may use Visual Basic scripts to perform malicious actions.
User Execution: Malicious File (T1204.002): The execution of the malicious file by the user triggers the malware.
Possible Self-Extracting Archive was Executed (via file_event): Self-extracting archives are used to execute the malware.
Possible 7Zip/RAR Self-Extracting Archive was Executed (via cmdline): This technique refers to executing the archive through command line arguments.

Collection

Data From Local System (T1005): The malware collects data from the local system, including screenshots and files.
Suspicious Robocopy Execution (via cmdline): The malware uses Robocopy to copy files from specified directories and USB drives.

Exfiltration

Automated Exfiltration (T1020): The stolen data is automatically exfiltrated to the attacker’s infrastructure.
Exfiltration Over Alternative Protocol (T1048): SyncThing is misused for data exfiltration over its protocol, which is normally used for legitimate file synchronization.

References

• UAC-0020 aka Vermin Attack Detection: SickSync Campaign Using SPECTR Malware and SyncThing Utility to Target the Armed Forces of Ukraine