Researchers have uncovered a two-year-old cyber-espionage campaign that's been infecting Ukrainians with either a newly discovered remote access tool called Vermin or the more established Quasar RAT.
An analysis of Vermin, conducted by members of Palo Alto Networks' Unit 42 threat research team, determined that the reconnaissance malware collects infected victims' keystrokes and clipboard data, and is also capable of deleting and downloading files, renaming files and folders, uploading and deleting files, and capturing audio and video.
Palo Alto was tipped off to Vermin by a fellow researcher who tweeted an image of a decoy document that purports to be an official order from the Ukrainian Ministry of Defence. The document was served up by a malicious SFX file (distributed via a phishing campaign) that executes the malware infection when opened.
Upon further investigation, the researchers soon found additional Vermin samples, revealing a larger command-and-control infrastructure that since late 2015 has been infecting individuals with Vermin or, alternatively, Quasar RAT, an open-source malware family used in criminal and espionage attacks. Many of these additional samples didn't even use a decoy document; instead, they consisted of only the payload and a dropper disguised as an icon for a document viewing app such as Microsoft Word.
In an unusual development, Unit 42 researchers learned that Vermin leverages the HTTP encapsulated Simple Object Access Protocol (SOAP) messaging protocol to establish a secure command-and-control communication -- a behaviour that is "something not often seen in malware samples," according to Unit 42 blog post authors and researchers Tom Lancaster and Juan Cortes.
Researchers also found that Vermin is composed of mostly original code, written using the Microsoft .NET Framework and often packed with the .NET obfuscation tool ConfuserEx.
Following execution, the malware checks if the victim's system is configured with Russian as the installed input language (often a telltale clue that the attackers are Russian and don't want to attack their fellow countrymen). If the machine is not set to Russian, the malware performs an API call and decrypts an embedded resource that contains the main code for communications and RAT functionality.
At this point, the malware begins collecting information, including machine name, username, OS name, architecture, local IP address and the presence of anti-virus software. If an AV program is detected, then Vermin's keylogger component is not installed.
Outside of launching targeted attacks against Ukrainians, "We were unable to definitively determine the aims of the attackers or the data stolen," concluded Lancaster and Cortes.