Password-stealing, eavesdropping malware targets Ukrainian government

Vermin RAT is custom-built, receives updates and is part of a campaign targeting a large number of individuals.

special feature

Cybersecurity in an IoT and Mobile World

The technology world has spent so much of the past two decades focused on innovation that security has often been an afterthought. Learn how and why it is finally changing.

Read More

A cyber espionage campaign is targeting the Ukrainian government with custom-built malware which creates a backdoor into systems for stealing data -- including login credentials and audio recordings of surroundings.

The remote access trojan is called Vermin and is delivered alongside two other strains of malware -- Sobaken RAT and Quasar RAT -- the latter of which is an open source form of malware freely available online.

The three forms of malware have attacked hundreds of different victims in Ukraine, but appear to share infrastructure and connect to the same command and control servers. The campaign has been detailed by researchers at security company ESET, who say it has been active since at least October 2015.

vermin-detections.png

Detections of Vermin, Quadar and Sobaken

Image: ESET

Vermin is the most potent of the three forms of malware and appears to have received updates from its malicious authors.

In addition to carrying out the usual tasks associated with trojans, such as monitoring what happens on screen, downloading additional payloads and uploading files, it also contains a set of additional commands for the purpose of fully compromising the victim's machine.

They include the capacity to make audio recordings of sound near the victim's computer, a password stealer used to extract passwords from the Opera and Chrome browsers, and a keylogger.

Vermin -- first identified by Palo Alto Networks in January and since updated -- also has the ability to steal files from a USB drive. The malware will monitor the drive and steal files that match the chosen filter of the attackers, which for the most part, appears to documents.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

ESET researchers note that this USB file-stealer has increasingly been used as a standalone tool since April. It copies the relevant files and immediately uploads them to the attackers' command and control server.

In addition to Vermin, the attackers also employ Quasar and Sobaken trojans. Quasar is an open-source form of malware equipped with a range of backdoor commands for observing and stealing from an infected system. As a result it has been used by many different attackers for purposes ranging from espionage to cybercrime.

Sobaken is a modified version of Quasar which has had a number of capabilities removed. However, because this means it's packed into a smaller executable, it's easier to hide -- Sobaken has also been equipped with anti-sandboxing and evasion techniques in order to help reduces the chances of discovery.

"A possible explanation for using three parallel malware strains is that each strain is developed independently. Another option is that several different malware strains were tried in hopes that one of them will slip through the defenses," Kaspars Osis, senior malware researcher at ESET told ZDNet.

Like many malware campaigns, the initial point of compromise comes with a phishing email equipped with a Microsoft Office attachment. The lures varied depending on the particular Ukranian government department being targeted, but examples of subjects included those that relate to transport and defence.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

In some cases, the attack leverages CVE-2017-0199, a remote code execution vulnerability, which was patched in April 2017, indicating some targets still haven't applied the relevant updates after more than a year.

Once the malicious file has been dropped onto the target system, it will run every 10 minutes to ensure its persistence on the infected machine.

The malware will terminate if the keyboard layout of the victim isn't Russian or Ukrainian. It will also terminate itself if the IP address of the machine isn't in Ukraine or Russia, indicating that this is a highly localised campaign.

When it comes to the attackers, researchers note that: "Even though these threat actors don't seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time."

Currently, there's no clear attribution as to who might behind the attacks, but Ukraine has long been used as a test-bed by Russian hackers. The self-terminating processes in the malware also indicate that those behind it don't want it escaping into the wider world -- at least not yet.

While damaging, the delivery of the attacks is rather basic and as a result, researchers say cybersecurity awareness training can go a long way towards protecting against this type of campaign.

A full run-down of the IOCs of the attack have been published in the ESET report.

READ MORE ON CYBER CRIME