Security analysts detected a new attack campaign that is focused on Ukraine carrying a dangerous new weapon — the Vermin malware. According to the released reports this is a heavily updated version of the Quasar Trojan that has been further customized with custom code. The dangerous code allows the criminals to overtake full control of the compromised devices.
The Vermin Malware Has Been Unleashed
A recent attack campaign against devices located in Ukraine has led to the discovery of a dangerous new malware called Vermin. The researchers that detected the infections point out that it is a fork of the Quasar Trojan that contains a lot of code improvements and custom additions. This makes it a very formidable weapon because of the fact that it is not directly associated with Quasar’s behavior patterns and original malware engine. The focused attack that is set against the country is linked to two case scenarios under consideration. The first one is related to the fact that it is possible that the hacker operators have pre-configured the attack using a ready-made list of targets. The second proposal is attributed to the fact that the engine can extract detailed information about the regional settings. Using the acquired information the malware engine can activate itself if it deems that the compromised devices are viable. In other cases it can delete itself to avoid detection.
The attacks are mainly initiated through messages distributed through social networks, one of the main tactics was to utilize various fake Twitter profiles and link to infected documents. They can be of different type including: rich text documents, presentations and spreadsheets. The criminals behind it use social engineering tactics that coerce the victims into interacting with the files. They are made to appear as documents made by the country’s Ministry of Defense. The files contain a decoy self-extracting executable which activates the malware code that leads to the infections.
Vermin Malware Infiltration Tactics — The Malware Process
Once the infections have begun a secure connection with a hacker-controlled server is established. The interesting thing is that the operators use the SOAP protocol instead of the common HTTP. It is mainly used to exchange structured information and one of the reasons why it has been preferred is the fact that automated security software usually do not check this protocol as it may not be included in the standard signatures. A detailed analysis shows that the ongoing campaigns feature different customized strains. All of them are constructed using variable parameters which can make removal difficult in the case that multiple infections target the same network.
The first checks that are made after the malware infects are related to the regional settings. The malware engine is able to create a detailed profile of the victim’s devices. This includes both anonymous metrics and personally-identifiable data. The first category is related to hardware information and system variables. It is mainly used by the hacker operators to judge how effective the attacks are. The second category is made up of data that can directly expose the victim’s identity. It consists of strings that are related to their name, address, telephone number, geolocation, preferences and account credentials.
The specialists indicate that the Vermin code looks out for four specific input languages: ru – Russian, uk – Ukrainian, ru-ru – Russian and uk-ua – Ukrainian. If any of the checks passes the infection continues further. The follow-up steps are related to the download of additional malware components. They are in encrypted form and are decrypted on-the-fly as well as executed soon after that. During this initialization phase the hackers can enable a stealth protection that can bypass any detected security services. This includes sandboxes, virtual machines and debugging environments. The malware engine can bypass or remove them according to the built-in instructions. In some cases if it finds that it is unable to do so it can delete itself to avoid detection.
In addition to everything else the analysts uncovered that the threat installs a keylogger. It is embedded into the various malware processes and disguised as an Adobe Printer service. The process can collect various pieces of information — all keystrokes, mouse movement or individual interactions as defined by the operators. The collected information is encrypted and then stored in a folder location:
%appdata%\Microsoft\Proof\Settings.{ED7BA470-8E54-465E-825C-99712043E01C}\Profiles\.
Each individual log file is recorded using the following format: “{0:dd-MM-yyyy}.txt”.
Vermin Malware Capabilities
Once the Vermin malware has access to the computer and has infiltrated the system processes by hooking up to them and creating its own threads the modules allow the criminals to launch a variety of commands. This is done using the special secured network connection via the quoted SOAP protocol. The full list includes the following options:
- ArchiveAndSplit — Archive Target Files and Split Them in Parts
- CancelDownloadFile — Cancel A Running File Transfer
- CancelUploadFile — Cancel a Running Upload Process
- CheckIfProcessIsRunning — Checks If a Target Process is Running.
- CheckIfTaskIsRunning — Queries the System for a Specific Running Process.
- CreateFolder — Makes a New Folder in The Specified Location
- DeleteFiles — Removes a Target File.
- DeleteFolder — Commands the Malware to Delete a Set Folder.
- DownloadFile — Retrieves a File from a Remote Location.
- GetMonitors — Checks for any Apps that may be monitoring the system.
- GetProcesses — Retrieves the list of Running Processes.
- KillProcess — Stops Running Processes.
- ReadDirectory — Reads The Contents of The Target Directory.
- RenameFile — Rename Target Files.
- RunKeyLogger — Executes the Keylogger Module.
- SetMicVolume — Adjusts The Microphone Volume.
- ShellExec — Executes Provided Commands.
- StartAudioCapture — Enables The Audio Surveillance.
- StartCaptureScreen — Enables The Screenshot Module.
- StopAudioCapture — Disables The Audio Surveillance.
- StopCaptureScreen — Disables The Screenshot Module.
- UpdateBot — Updates the Running Vermin virus module.
- UploadFile — Transfers a File to The Command Server.
The following domains have been found to be related to the attack campaigns so far:
akamaicdn[.]ru
cdnakamai[.]ru
www.akamaicdn[.]ru
www.akamainet066[.]info
www.akamainet023[.]info
www.akamainet021[.]info
akamainet023[.]info
akamainet022[.]info
akamainet021[.]info
www.akamainet022[.]info
akamainet066[.]info
akamainet024[.]info
www.cdnakamai[.]ru
notifymail[.]ru
www.notifymail[.]ru
mailukr[.]net
tech-adobe.dyndns[.]biz
www.mailukr[.]net
185.158.153[.]222
94.158.47[.]228
195.78.105[.]23
94.158.46[.]251
188.227.75[.]189
212.116.121[.]46
185.125.46[.]24
5.200.53[.]181
Vermin Virus Removal
The complex infection tactics that are associated with the Vermin virus shows that it can only be removed using a quality anti-spyware solution. Once the infections have taken place a very thorough system analysis follows that gives the malware engine detailed information on how the compromised machine is configured. This allows the Trojan to affect all major components of the operating system. As such the hacker operators can seal sensitive files, spy on the victims and use the harvested data for blackmailing and fraud purposes.
We highly recommend all victims to run a free system scan in order to make sure that they are safe using a trusted security application. The solution is also capable of safeguarding the computers from any incoming attacks.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: