An ongoing espionage campaign aimed at Ukraine is leveraging three different remote access Trojans (RATs), ESET security researchers warn.
The attacks apparently started in late 2015, but the first report on them emerged in January 2018. ESET says they have been tracking the campaign since mid-2017, and that the attacks have been mainly focused on Ukrainian government institutions, with a few hundred victims in different organizations.
The actors behind this cyber-espionage campaign have been using multiple stealthy RATs to exfiltrate sensitive documents, namely Quasar RAT, Sobaken RAT, and a custom-made RAT called Vermin.
The attackers, which appear to lack advanced skills and access to zero-day vulnerabilities, are using emails and social engineering to distribute the malware. Some emails carried Word documents attempting to exploit CVE-2017-0199, a vulnerability patched in April 2017.
A dropper is usually used to deliver the final payload (which masquerades as software form Adobe, Intel or Microsoft) to the %APPDATA% folder and to achieve persistence via a scheduled task that executes the malware every 10 minutes. Steganography was also employed to trick content filtering, accordnig to a whitepaper (PDF) published by ESET.
To avoid automated analysis systems and sandboxes, the malware checks if the Russian or Ukrainian keyboard layouts are installed and terminates itself if none is found. It also checks the system’s IP address and the username on the machine. Moreover, it checks if the connection to a randomly generated website name/URL fails, as would be expected on a real system.
An open-source backdoor, Quasar RAT can be freely downloaded from GitHub and has been employed by the actors behind this campaign since at least October 2015. Other groups have been using the malware in their attacks as well, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats.
Sobaken is a heavily modified version of Quasar RAT, with removed functionality to make the executable smaller, but also with several anti-sandbox and other evasion tricks added.
Vermin RAT, on the other hand, is a custom-made backdoor that first emerged in mid-2016 and which continues to be used. Written in .NET, it is protected using ConfuserEx and uses Vitevic Assembly Embedder, free software for embedding required DLLs into the main executable.
The malware includes support for screen capturing, reading directory contents, file upload/download/deletion/renaming, process monitoring and termination, shell execution, run keylogger, folder manipulation, audio capture, and bot update.
Most of the commands are implemented in the main payload, but the RAT also includes support for optional components, such as audio recorder, keylogger, password stealer, and USB file stealer.
“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine. However, they have proved that with clever social engineering tricks, cyber-espionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place,” ESET notes.