Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware

Author
Recent Posts

Andrii Bezverkhyi

CEO & co-founder at SOC Prime

Latest posts by Andrii Bezverkhyi (see all)

Instant Threat Hunting Success with Detection as Code On-Demand - 03.05.2022
Metasploit Meterpreter Malware Detection: New Phishing Cyber-Attack on Ukrainian Government Entities Linked to UAC-0098 and TrickBot Groups - 29.04.2022
Detect GraphSteel and GrimPlant Malware Delivered by UAC-0056 Group: CERT-UA Warns of Phishing Attacks Related to COVID-19 - 27.04.2022

WRITTEN BY

Andrii Bezverkhyi

[post-views]

March 21, 2022 · 4 min read

Table of contents:

This article covers the original investigation by CERT-UA: https://cert.gov.ua/article/37815.

On March 17, 2022, the government emergency response team of Ukraine CERT-UA revealed that the Ukrainian government infrastructure was hit by a massive spear-phishing campaign aimed at SPECTR malware delivery. The campaign was launched by Vermin (UAC-0020) hacking collective associated with the so-called Luhansk People’s Republic (LPR), an unrecognized quasi-state located in the Donbas region of eastern Ukraine. Vermin cybercriminals are believed to be acting on behalf of the Moscow government and being an operational unit of the Russian cyber warfare against Ukraine.

Vermin (UAC-0020): CERT-UA Research

According to the alert by CERT-UA, the LPR-affiliated Vermin collective (UAC-0020) disseminates malicious emails with the subject “supply” among the state bodies of Ukraine.

Such emails come with a password-protected RAR archive, dubbed “ДВТПРОВТ.rar,” which contains two malicious files. The files are “4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf.lnk” LNK-file and “4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf” EXE file. In case users open the LNK-file, the corresponding EXE-file is executed on the targeted system.

As a result of a cyber-attack, the compromised computer is exposed to harmful modular software dubbed SPECTR, which applies a set of malicious components SPECTR.Usb, SPECTR.Shell, SPECTR.Fs, SPECTR.Info, and SPECTR.Archiver to spread the infection further.

Notably, UA-CERT reports that the most recent Vermin attack leverages the same malicious infrastructure that was used by the threat group in July 2019. Moreover, the command-and-control (C&C) server equipment has been maintained by the Luhansk provider vServerCo (AS58271) for quite a long period.

Graphics provided by CERT-UA to illustrate the latest Vermin (UAC-0020) attack against Ukrainian state bodies

Global Indicators of Compromise (IOCs)

Files

baf502b4b823b6806cc91e2c1dd07613    ДВТПРОВТ.rar
993415425b61183dd3f900d9b81ac57f    4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf
1c2c41a5a5f89eccafea6e34183d5db9    4222 ВП МОУ на лист ДВТПРОВТ від 09.03.22 403-5-1324.rtf.lnk
d34dbbd28775b2c3a0b55d86d418f293    data.out
67274bdd5c9537affbd51567f4ba8d5f    license.dat (2022-02-25) (SPECTR.Installer)
75e1ce42e0892ed04a43e3b68afdbc07    conhost.exe
e08d7c4daa45beca5079870251e50236    PluginExec.exe (SPECTR.PluginLoader)
adebdc32ef35209fb142d44050928083    Spectator2.exe (SPECTR.Spectator2)
3ed8263abe009c19c4af8706d52060f8    Archiver.dll (2021-04-09) (SPECTR.Archiver)
f0197bbb56465b5e2f1f17876c0da5ba    ClientInfo.dll (SPECTR.Info)
d0632ef34514bbb0f675c59e6ecca717    FileSystem.dll (2021-04-09) (SPECTR.Fs)
00a54a6496734d87dab6685aa90588f8    FileTransfer.dll (2021-04-09) (SPECTR.Ft)
5db4313b8dbb9204f8f98f2c129fd734    Manager.dll (SPECTR.Mgr)
32343f2a6b8ac9b6587e2e07989362ab    Shell.dll (2021-04-09) (SPECTR.Shell)
ecc7bb2e4672b958bd82fe9ec9cfab14    Usb.dll (SPECTR.Usb)

Network Indicators

hxxp://176[.]119.2.212/web/t/data.out
hxxp://getmod[.]host/DSGb3Y3X
hxxp://getmod[.]host/ThlAHy3S
hxxp://getmod[.]host/OcthdaLm
getmod[.]host (2019-07-12)
syncapp[.]host (2019-07-12)
netbin[.]host (2019-07-12)
stormpredictor[.]host
meteolink[.]host
176[.]119.2.212
176[.]119.2.214
176[.]119.5.194
176[.]119.5.195
AS58271

Host Indicators

HKCU\Software\Google\Chrome\NativeMessagingHosts\com.microsoft.browsersec\EncodedProfile
HKCU\Software\Google\Chrome\NativeMessagingHosts\com.microsoft.browsercli\EncodedProfile
%APPDATA%\Microsoft\ExcelCnv\1033\license.dat
%APPDATA%\Microsoft\ExcelCnv\1033\conhost.exe
ESET_OPINIONS (network variable)
MSO (network variable)
MS Office Add-In Install Task (sheduled task)

To get actionable threat intelligence based on IOCs above, please refer to this Anomali ThreatStream link: https://ui.threatstream.com/tip/3754010.

Sigma Rules to Detect the Latest Vermin (UAC-0020) Attack Against Ukraine

To protect your organization’s infrastructure against massive spear-phishing attacks and SPECTR malware infections linked to the malicious activity of Vermin (UAC-0020) threat actors, SOC Prime has released dedicated Sigma-based rules available in our Detection as Code platform. All detection content associated with the activity of these threat actors is tagged accordingly with #UAC-0020:

Full list of Sigma-based rules to detect the latest Vermin group’s activity

SOC Prime platform offers a batch of IOC-based Sigma rules to detect the Vermin attack available for registry event, file event, image load, and other log sources. Also, the list of detections includes a set of Sigma behavior-based rules to boost your threat hunting capabilities and gain more insights into adversary behavior patterns.

MITRE ATT&CK® Context

To gain more insights into the context surrounding the latest spear-phishing campaign launched by Vermin hacking collective, all above mentioned Sigma-based detections are aligned with the MITRE ATT&CK framework addressing the following tactics and techniques:

Tactics	Techniques	Sigma Rules
Defense Evasion	Hijack Execution Flow (T1574)	Environment Path Changes (via registry_event)
	Modify Registry (T1112)	UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via registry_event)
	Process Injection (T1055)	UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via image_load)
Execution	User Execution (T1204)	UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR [behaviour] (via process_creation) UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via process_creation)
	Scheduled Task/Job (T1053)	UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via audit)
Initial Access	Phishing (T1566)	Archive Extraction Directly from Mail Client (via cmdline) Possible Malicious LNK File with Double Extension (via cmdline) UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via file_event)
Command and Control	Web Service (T1102)	UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via firewall) UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via proxy) UAC-0020 (Vermin) APT campaign activity targeting Ukrainian governmental institutions using SPECTR (via dns)

Download JSON file for ATT&CK Navigator

The versions applicable for the file above are as follows:

MITRE ATT&CK v10
ATT&CK Navigator version: 4.5.5
Layer File Format: 4.3

Was this article helpful?

Like and share it with your peers.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free Book a Meeting

Forest Blizzard (aka Fancy Bear or APT28)

Blog, Latest Threats — 4 min read

Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America

Veronika Telychko

Blog, Latest Threats — 5 min read

UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine

Veronika Telychko

Blog, Latest Threats — 3 min read

UAC-0149 Attacks Ukrainian Defense Forces Using Signal, CVE-2023-38831 Exploits, and COOKBOX Malware

Daryna Olyniychuk

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.

Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware

WRITTEN BY

Vermin (UAC-0020): CERT-UA Research

Global Indicators of Compromise (IOCs)

Files

Network Indicators

Host Indicators

Sigma Rules to Detect the Latest Vermin (UAC-0020) Attack Against Ukraine

MITRE ATT&CK® Context

Table of Contents

Was this article helpful?

Related Posts

Vermin (UAC-0020) Hacking Collective Hits Ukrainian Government and Military with SPECTR Malware

WRITTEN BY

Vermin (UAC-0020): CERT-UA Research

Global Indicators of Compromise (IOCs)

Files

Network Indicators

Host Indicators

Sigma Rules to Detect the Latest Vermin (UAC-0020) Attack Against Ukraine

MITRE ATT&CK® Context

#ez_toc_widget_sticky-2 .ez-toc-widget-sticky-container ul.ez-toc-widget-sticky-list li.active{ background-color: #ededed; } Table of Contents

Was this article helpful?

Related Posts

Table of Contents