How Vermin RAT Spies Upon Ukrainian Government Agencies

Do you know what a cyber espionage tool is? It is a piece of malware that enables cyber criminals to access targeted operating systems to spy on them without the owner’s knowledge. Vermin RAT (remote access tool) is one of these tools, and it was found to be targeted at the Ukrainian government agencies, along with Quasar and Sobaken, two other infections that appear to be variants of the same malware. All three of these threats are distributed and used in the same ways, and they are equally as malicious and dangerous for the security of secret government information. When the RAT gains access to the targeted computer, it can easily record all kinds of information, from audio to passwords. Without a doubt, if malware is not handled appropriately, it can become extremely dangerous. At this point, the scale of the attack is not known, but it is believed that a few hundred computers that contain government-level data have already been compromised since the emergence of this malware.

According to Kaspars Osis, a malware researcher who uncovered the RATs, Vermin can be employed for various tasks. For one, it can create and delete folders, download and delete files, create and terminate processes. This gives this malware extreme power, using which it can download and run other malicious components. One of them is UsbGuard.exe, which is specifically used to steal files stored on USB devices. If the infected computer connects to this kind of device, the RAT silently copies all files that it is set to record (those with .doc, .docx, .docm, .xls, .xlsx, .zip, .rar, .7z,.txt, .rtf, .xlsm, .pdf, .jpg, .jpeg, .tif, .odt, and .ods extensions) and then sends them where attackers can access them. This tool has been found to be used by Sobaken too. Vermin can also capture screenshots and keystrokes to read potentially confidential data, as well as record such information, along with usernames, passwords, and other login credentials that could be used to hack into government accounts and systems. The RAT can even record audio.

Vermin spreads using corrupted spam emails that contain the launcher of the infection in one form or another. The executable of the infection could be hidden within a RAR archive, and if the target is tricked into opening the archive and the file, the RAT is executed. The malicious executable could also be concealed using an obfuscation method where the real extension of the file (i.e., .exe) is replaced with something else (e.g., .pdf, .doc, or .ppt). This can be done using the Right-to-Left override, where the “.exe” part is hidden within the name of the file. It is also known that the creator of the infection can use the CVE-2017-0199 exploit to introduce victims to a normal-looking .doc file that, unfortunately, is set to execute the infection. If the file is executed, it then checks if the user’s keyboard and IP are Russian or Ukrainian. If they are not, Vermin terminates the attack. If they are, malware is dropped to %AppData% folder with a misleading name. A scheduled task is created to run malware every ten minutes. This means that if the RAT is successfully planted onto the computer, it can spy continuously for a long time, and it cannot be stopped if the user reboots the computer.

Opening spam emails is always dangerous. If RATs are not hidden within them, it could be ransomware or misleading virtual scams used to obtain users’ personal data. Without a doubt, government workers should know better than to open random emails, but cyber criminals can make them appear extremely realistic. Using fabricated email addresses and misleading subject lines, messages, and files names, they can trick even more cautious targets to open malicious files. If Vermin RAT successfully invades the operating system, it can be used to obtain the most confidential information by copying and transferring files, capturing screenshots and audio, and recording keystrokes. A known Windows vulnerability (CVE-2017-0199) could aid the infection too. Therefore, it is most important to update the operating system and software, as well to stay away from suspicious emails. It is important to note that although Vermin RAT is specifically created to attack the Ukrainian government, analogous infections could be built to attack all other governments. Furthermore, new and more powerful versions of Vermin could be created in the future.