A new SickSync campaign exploits the SyncThing tool to steal data

CERT-UA reveals a new campaign called SickSync, initiated by the notorious Vermin hacking organisation in attacks on Ukrainian defence forces.

Based on reports, this malicious organisation is related to the Luhansk People’s Republic (LPR), which Russia has occupied almost entirely since October 2022. Moreover, most of this group’s hacking campaign has benefited in favour of Russian objectives.

Researchers explained that the new cybercriminal operation combines the genuine file-syncing program SyncThing with malware known as SPECTR. The hacking group is also motivated to steal sensitive information and intelligence data from military groups.

 

The SickSync campaign starts with a phishing email that contains a malicious attachment.

 

Vermin’s SickSync campaign begins with a phishing email delivered to the recipient that contains a password-protected RARSFX archive called “turrel.fop.wolf.rar.”

Once a recipient executes the file, it extracts a PDF (“Wowchok.pdf”), an installer (“sync.exe”), and a BAT script (“run_user.bat”). Next, the BAT executes sync.exe, which contains the SyncThing and SPECTR malware and the necessary libraries.

SyncThing then creates a peer-to-peer connection for data synchronisation, which hackers commonly use to steal documents and account credentials. Hackers have also updated the legitimate utility with new directory names and scheduled tasks and removed the component that displays a window when active to avoid detection.

SPECTR is versatile malware with a wide range of intrusive features. Researchers confirmed that it uses the SpecMon component, which launches PluginLoader.dll to run DLLs that include the “IPlugin” class. In addition, it has a Screengrabber function that captures screenshots every 10 seconds when a specific program window is spotted.

The malware also uses FileGrabber, which leverages robocopy.exe to copy files from user directories such as Desktop, My Pictures, Downloads, OneDrive, and Dropbox. The malware’s USB module could also copy files from any detachable USB drive.

Furthermore, SPECTR also has a social module that is adept at obtaining authentication data from various messengers, including Telegram, Signal, Skype, and Element. Finally, the Browsers module focuses on acquiring data from Firefox, Edge, and Chrome, including authentication details, session information, and browser history.

Data taken by SPECTR is copied into subfolders in the ‘%APPDATA%\sync\Serve_Sync \’ directory and then synced to the threat actor’s system. The researchers believe that Vermin chose a legal tool for data exfiltration to bypass security systems detections.

CERT-UA advises everyone that any interaction with SyncThing’s infrastructure should be considered a system breach. Hence, organisations that spot such activity should immediately launch an investigation to find and remove the infection.