Ukraine has seen a fair share of cyber attacks in the last few years, and it comes as no surprise that three new strains of .NET malware have been recently found to aid cyber attackers. The malware is known by the names Quasar, Sobaken, and Vermin, and they have been around since, at least, the end of 2015. The first variant, Quasar, was followed by Vermin and Sobaken in mid-2016. A research report by WeLiveSecurity has revealed that the infection is specifically targeted at the Ukrainian government, and it has tactics that allow it to evade spreading in the wrong systems. You can learn more about this and the activity of this dangerous malware if you continue reading the report.
How are Quasar, Sobaken, and Vermin spread?
Spam is the main instrument in the distribution of this malware. A few examples obtained by malware researchers have shown that there are at least three different methods that are employed. In the first method, the misleading spam email contains an attachment whose real extension is obscured using right-to-left override. The icons of the files are replaced with the ones that we usually associate with Microsoft Word Document or Acrobat Reader files. This is meant to trick the target into thinking that the file is harmless, when, in fact, it is a hidden malware executable. Spam emails can also present self-extracting RAR archive files that carry the malicious executable. Finally, the creators of malware have been found to use Word documents that silently request HTA files containing the malicious script. An .exe file executes this script. This is made possible by exploiting a known vulnerability (CVE-2017-0199) that Microsoft has patched over a year ago now. Needless to say, it is the user’s responsibility to install necessary security updates.
It is worth mentioning that the creator of Vermin and other two infections was using steganography for the distribution purposes last year. Using this method, the creator of the infection could hide the malware payload in images that were hosted on saveshot[.]net and ibb[.]co websites. Malware could easily extract hidden data within the file to launch the RAT, which, by the way, stands for “remote access tool.” According to researchers, this method is no longer used to spread Quasar, Sobaken, and Vermin.
How does Vermin RAT attack the Ukrainian Government?
Once executed, Vermin and other RATs look for specific information to determine whether or not the attack should be continued. For one, it checks for the keyboard used by the operating system, and the attack is stopped if Ukrainian and/or Russian keyboards are not detected. The same goes with systems whose IP addresses are not within Ukraine or Russia. It was also found that the infections might evade malware analysis systems by checking the computers’ usernames. The main goal is to attack the Ukrainian government, and WeLiveSecurity researchers report that several hundred victims have been attacked in different Ukrainian organizations already. Eventually, if the RATs attack successfully, they drop malware into a folder within the %APPDATA% directory. The folder should be named after a well-known company (e.g., Microsoft) to confuse the victim. After this, a scheduled task is set to ensure that malware runs every 10 minutes.
What does Vermin RAT do?
If executed successfully, Vermin has a list of commands that it can execute. These commands enable the infection to capture screens and audio, download, rename and delete files, create and delete folders, start and kill processes, run a keylogger, and steal USB files. Basically, Vermin is the top-notch spyware that can help cyber attackers obtain the most sensitive data. By recording screenshots, audio, and keystrokes, the attackers can spy on the government and record passwords that could, later on, be used to remotely hijack accounts. The infection also can extract passwords from web browsers. Using UsbGuard.exe, Vermin can steal sensitive files stored on external drives too. The infection specifically looks for files with .7z, .doc, .docm, .docx, .jpg, .jpeg, .odt, .ods, .pdf, .rar, .rtf, .tif, .txt, .xlsm, .xls, .xlsx, and .zip extensions. Needless to say, Vermin RAT can cause a massive sensitive data leak, and that is the worst nightmare of any governmental agency. It is recommended that those responsible for securing these agencies immediately update software and employ appropriate security safeguards to ensure that RATs cannot slither in.
Osis, K. June 2018. QUASAR, SOBAKEN AND VERMIN: A deeper look into an ongoing espionage campaign. WeLiveSecurity.