Unit 42 threat research team at Palo Alto Networks discovered a net espionage activity that has been going on for two years and is targeting Ukraine. Hackers mainly used two types of malware during the event: Quasar Rat and VERMIN.
Quasar RAT is an open source malware family, a remote access tool. Earlier they have been used in a number of attacks, including cybercrime and cyber espionage.
VERMIN is an emerging malware family relative to the Quasar RAT. It was written using the Microsoft .NET Framework, and most of it is the source code, which means it is by no means a branch of any malware family.
It collects keystrokes and clipboard data from infected systems, removes, uploads and downloads files renames files and folders, and captures audio and video.
VERMIN is distributed via an attachment to a phishing email, which is usually an SFX file (a self-extracting file) that contains a decoy document and looks like a formal order from the Ministry of Defense of Ukraine. Malware is infected when the victim is on.
The researchers also found that VERMIN also rarely used the Simple Object Access Protocol (SOAP) for HTTP encapsulation, an XML-based protocol for exchanging structured information for command and control (C2) Software samples are uncommon.
After further investigation, the researchers quickly uncovered more Vermin samples and unveiled a larger network of command and control (C2) infrastructures.
Many samples did not even choose to use bait files. Instead, they contain only the payload and an icon disguised as a document viewer (such as Microsoft Word).
After initial execution, Vermin checks whether the victim’s system is configured with Russian as the input language for the installation. If not set to Russian, Vermin will perform API calls and decrypt embedded resources containing the main code for communication and remote control functions. This virtually revealed that hackers seem to want to exclude those who use Russian but will not attack them.
Depending on the actual variable name used by Vermin, it gathers the following information: device name, username, operating system version, architecture (32-bit and 64-bit), local IP address, and whether anti-virus software is running. Vermin do not install keyloggers if antivirus software is detected.
Palo Alto Networks said they were unable to pinpoint the hacker’s specific goals or what data was stolen. However, from the thematic orientation of bait files and the situation of the victims, Vermin does appear to be used to launch targeted attacks on Ukraine.
