August 21, 2024Ravie LakshmananCyber ​​Warfare / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new phishing attacks that aim to infect devices with malware.

The activity has been attributed to a threat cluster it tracks as UAC-0020, also known as Vermin. The exact size and scope of the attacks are currently unknown.

The attack chain begins with phishing messages containing photos of alleged prisoners of war from the Kursk region. Recipients are asked to click on a link that leads to a ZIP archive.

The ZIP file contains a Microsoft Compiled HTML Help (CHM) file that contains JavaScript code responsible for launching a hidden PowerShell script.

“Opening the file installs components of the well-known spyware SPECTR, as well as the new malware called FIRMACHAGENT,” CERT-UA said. “The purpose of FIRMACHAGENT is to retrieve the data stolen by SPECTR and send it to a remote management server.”

SPECTR is a well-known malware that has been linked to Vermin since 2019. The group is believed to be associated with the security services of the Luhansk People’s Republic (LPR).

Earlier this June, CERT-UA described another campaign orchestrated by Vermin actors, called SickSync, which targeted the country’s military forces using SPECTR.

SPECTR is a full-featured tool designed to collect a wide range of information including files, screenshots, login credentials, and data from various instant messaging apps such as Element, Signal, Skype, and Telegram.