ESET researchers have analysed remote access tools cybercriminals have been using in an ongoing espionage campaign to systematically spy on Ukrainian government institutions and exfiltrate data from their systems.
According to ESET’s telemetry, the attacks have been targeted at Ukrainian government institutions, with a few hundred victims in different organizations. Attackers have been using stealthy remote access tools (RATs) to exfiltrate sensitive documents from the victims’ computers.
We have detected three different strains of .NET malware in these campaigns: Quasar RAT, Sobaken RAT, and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share parts of their infrastructure and connect to the same C&C servers.
The analyzed campaigns have been based on basic social engineering, but also using several tricks to better lure the victims into downloading and executing the malware, served as email attachments. Among these tricks are using right-to-left override to obscure the attachments’ real extension, email attachments disguised as RAR self-extracting archives, and a combination of a specially crafted Word document carrying a CVE-2017-0199 exploit.
“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine. However, they have proved that with clever social engineering tricks, cyber-espionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place,” WeLiveSecurity said.
Quasar is an open-source RAT, which is freely available on GitHub. We were able to trace campaigns by these threat actors using Quasar RAT binaries back to October 2015.
Sobaken is a heavily modified version of the Quasar RAT. Some functionality was removed to make the executable smaller, and several anti-sandbox, and other evasion, tricks were added.
Vermin is a custom-made backdoor. It first appeared in mid-2016 and is still in use at the time of writing. Just like Quasar and Sobaken, it is written in .NET. To slow down analysis, the program code is protected using commercial .NET code protection system, .NET Reactor, or open-source protector ConfuserEx.