Multiple Ukrainian military departments were targeted by a spear phishing campaign which attempted to drop a RATVERMIN backdoor as part of a second-stage payload delivered with the help of a Powershell script.
The malicious campaign was discovered by FireEye Threat Intelligence's research team and continues an ongoing attack against Ukrainian government targets which started during 2018, with the hacking group behind it appearing to be connected with the so-called Luhansk People's Republic (LPR).
RATVERMIN dropped using Powershell script
As unearthed by FireEye Threat Intelligence after analyzing compile times for malware used during their attacks, the group appears to have been active since at least 2014 with their attacks being “primarily focused on targeting Ukrainian entities.”
In addition, “The 2018 campaign used standalone EXE or self-extracting RAR (SFX) files to infect victims. However, their recent activity showed increased sophistication by leveraging malicious LNK files,” said the researchers. “The group used open-source QUASARRAT and the RATVERMIN malware, which we have not seen used by any other groups.”
As part of the spear phishing attacks, the hackers sent emails designed to look like they were delivered by a United Kingdom defense manufacturer called Armtrac.
Multiple lure files were attached to the phishing emails which were designed to trick the targets into running the Powershell dropper script disguised as an LNK file with a PDF extension and the icon of a Microsoft Word document.
The other two documents originating from the official Armtrac website [1, 2] designed to further gain the trust of the potential victims were packed in a ZIP archive, compressed again as a 7z archive named Armtrac-Commercial.7z, and attached to the phishing emails.
Backdoor used in attacks since at least January 2018
The RATVERMIN .NET backdoor is a Remote Access Tool (RAT ) discovered by Palo Alto Networks' Unit 42 in January 2018 which collects and exfiltrates system information from its victims and “collects all keystrokes and clipboard data and encrypts the data before storing it” with the help of a keylogger.
As all other backdoors, RATVERMIN also allows its masters to run a large variety of commands on the compromised system, ranging from launching and killing processes and capturing audio/screenshots to updating the malware and deleting files.
“While more evidence is needed for definitive attribution, this activity showcases the accessibility of competent cyber espionage capabilities, even to sub-state actors,” says the report.
Also, “While this specific group is primarily a threat to Ukraine, nascent threats to Ukraine have previously become international concerns and bear monitoring.”