UAC-0020 (Vermin, SickSync) – Threat Actor

Overview

Ukraine Public Administration

Attack vectors

Phishing

How they work

The Vermin hacking group, also known as UAC-0020, has been a persistent and formidable threat in the cyber warfare landscape, particularly against Ukraine. First identified in 2019, Vermin has consistently targeted Ukrainian government bodies, military organizations, and public sector entities, playing a significant role in Russia’s cyber offensive operations. The group is believed to be linked to the self-proclaimed Luhansk People’s Republic, operating under the direction of the Moscow government. Vermin’s operations are characterized by sophisticated malware campaigns, strategic use of legitimate software tools for malicious purposes, and a focus on intelligence gathering and data exfiltration. One of the most notable aspects of Vermin’s operations is their use of the SPECTR malware, a tool that has been a cornerstone of their toolkit since their early campaigns. SPECTR is a versatile and potent malware capable of conducting a wide range of malicious activities, from stealing files and credentials to capturing screenshots and executing additional payloads. Vermin has leveraged this malware in multiple spear-phishing campaigns, often targeting high-profile Ukrainian entities. These campaigns typically begin with a well-crafted phishing email containing a password-protected archive, which, when executed, deploys SPECTR alongside other legitimate software components to evade detection. In addition to SPECTR, Vermin has also utilized the SyncThing utility, a legitimate tool designed for peer-to-peer file synchronization, as part of their data exfiltration strategy. By integrating SyncThing with their malware, Vermin can establish a covert channel to siphon off sensitive data from compromised systems. This tactic not only allows the group to efficiently steal large volumes of data but also helps them remain under the radar by blending their activities with legitimate network traffic. The use of such dual-purpose tools highlights Vermin’s ability to adapt and evolve, making them a challenging adversary for cybersecurity defenders. The resurgence of Vermin in recent years, particularly with their SickSync campaign targeting the Armed Forces of Ukraine, underscores the ongoing threat posed by this group. Their operations are not just limited to data theft; they are part of a broader cyber warfare strategy aimed at weakening Ukraine’s defense and governance structures. The sophistication of Vermin’s techniques, combined with their strategic alignment with Russian state objectives, makes them a significant player in the geopolitical cyber conflict. As the cyber landscape continues to evolve, so too will the tactics and tools employed by Vermin, necessitating constant vigilance and advanced cybersecurity measures to counter their threats.

MITRE Tactics and Techniques

Initial Access: T1566.001 – Spearphishing Attachment: Vermin uses spear-phishing emails with malicious attachments to gain initial access to targeted systems. These emails often contain password-protected archives that deploy the SPECTR malware upon execution. Execution: T1204.002 – User Execution: Malicious File: The group relies on user interaction to execute malicious files, often disguised as legitimate documents or applications. T1059.005 – Command and Scripting Interpreter: Visual Basic: Vermin utilizes scripting, particularly Visual Basic, to automate tasks and execute additional payloads. T1059.001 – Command and Scripting Interpreter: PowerShell: In some campaigns, Vermin has been known to leverage PowerShell for script execution to achieve persistence or further exploit systems. Persistence: T1053.005 – Scheduled Task/Job: Scheduled Task: To maintain access to compromised systems, Vermin may create scheduled tasks that execute malware at regular intervals. Privilege Escalation: T1055 – Process Injection: Vermin employs techniques to inject malicious code into legitimate processes, which can help escalate privileges or evade detection. Defense Evasion: T1562.001 – Impair Defenses: Disable or Modify Tools: Vermin is known to modify or disable security tools and features to avoid detection. T1070.004 – Indicator Removal on Host: File Deletion: The group often deletes logs and other artifacts to cover their tracks on compromised systems. Credential Access: T1003 – OS Credential Dumping: Vermin uses tools and techniques to extract credentials from compromised systems, aiding in lateral movement or further exploitation. Discovery: T1083 – File and Directory Discovery: The group searches for files and directories of interest on the targeted system, particularly those containing sensitive information. Collection: T1005 – Data from Local System: Vermin collects data from the local system, including documents, credentials, and other sensitive information. T1119 – Automated Collection: They automate the collection process, particularly through tools like SPECTR that harvest information continuously. Exfiltration: T1020 – Automated Exfiltration: Vermin uses the SyncThing utility to exfiltrate collected data to their own systems, leveraging legitimate software for stealthy data transfer. T1048 – Exfiltration Over Alternative Protocol: They may also exfiltrate data using non-standard protocols to avoid detection by traditional security measures. Command and Control (C2): T1071 – Application Layer Protocol: Vermin uses standard application layer protocols, including HTTP/HTTPS, to communicate with their command and control servers.

References:

• UAC-0020 aka Vermin Attack Detection: SickSync Campaign Using SPECTR Malware and SyncThing Utility to Target the Armed Forces of Ukraine
• UAC-0020 (Vermin) attacks the Defense Forces of Ukraine using the SPECTR SPZ in tandem with the legitimate SyncThing (“SickSync” campaign) (CERT-UA#9934)
• Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware