Security researchers from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions, attackers used at least three different remote access Trojans (RATs).
The campaign was first spotted in January by experts from PaloAlto Networks when the researchers discovered a new piece of malware tracked VERMIN RAT targeting Ukraine organizations.
“Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN.” reads the report from PaloAlto Networks.
Back to the present, the experts discovered that the attackers used several RATs to steal sensitive documents, the researchers collected evidence of the involvement of the Quasar RAT, Sobaken RAT, and Vermin.
The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats. Sobaken is an improved version of Quasar RAT, that includes several anti-sandbox and other evasion mechanisms.
The RATs have been used against different targets at the same time, experts noticed they share some infrastructure and connect to the same C&C servers.
The threat actors don’t have advanced skills, their attack vector is spear phishing messages and they have been quite successful in using social engineering to lure victims into opening the email and downloading and executing the malicious codes.
“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time.” Reads the analysis published by ESET.
“We were able to trace attacker activity back to October 2015; however, it is possible that the attackers
have been active even longer. These attackers use three different .NET malware strains in their attacks – Quasar RAT, Sobaken (a RAT derived from Quasar) and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share some infrastructure and connect to the same C&C servers.”
Some emails carried weaponized Word documents attempting to exploit CVE-2017-0199, attackers used a dropper masquerades as a legitimate software (i.e. Adobe, Intel or Microsoft) to deliver the final payload.
The threat actors used a scheduled task that executes the malware every 10 minutes to achieve persistence on the infected machine.
“The installation procedure is the same for all three malware strains used by these attackers. A dropper drops a malicious payload file (Vermin, Quasar or Sobaken malware) into the %APPDATA% folder, in a subfolder named after a legitimate company (usually Adobe, Intel or Microsoft).” continues the report.
“Then it creates a scheduled task that runs the payload every 10 minutes to ensure its persistence.”
Since mid-2017, the threat actors adopted steganography to bypass content filtering by hiding the payloads in images that were hosted on the free image hosting websites saveshot.net and ibb.co.
The malicious code executed only on hosts where the Russian or Ukrainian keyboard layouts are installed, it also checks the IP address and the username on the target machine.
To avoid automated analysis systems, that often use tools like Fakenet-NG where all DNS/HTTP communication succeeds and returns some result, the malware generates a random
website name/URL and attempt to connect it. If the connection fails in some cases the system could be considered real and not a virtualized environment used by researchers.
“Among the many different malware attacks targeted at high value assets in Ukraine, these attackers haven’t received much public attention – perhaps because of their initial use of open-source-based malware before developing their own strain (Vermin).” concludes the report.
“Employing multiple malware families, as well as various infection mechanisms – including common social engineering techniques but also not-so-common steganography – over the past three years, could be explained by the attackers simply experimenting with various techniques and malware, or it may suggest operations by multiple subgroups.”
Further details on the campaign, including the IoCs are included in the report.