![]() Using a combination of tools, we were able to unpack and deobfuscate the malware.įollowing initial execution, the malware first checks if the installed input language in the system is equal to any of the following: Z:\Projects\Vermin\TaskScheduler\obj\Release\Licenser.pdbĪs is the case with many of the samples from the threat actors behind VERMIN, our sample is packed initially with the popular. Given the interesting targeting themes and the discovery of a new malware family, we decided to take a peek at what “VERMIN” was capable of and document it here.įor this walkthrough, we’ll be going through the analysis of the following sample: SHA256ĩ8073a58101dda103ea03bbd4b3554491d227f52ec01c245c3782e63c0fdbc07Īnalyzing the malware dynamically quickly gave us a name for the malware, based on the PDB string present in the memory of the sample: Your certificate for free_receive help.exe Names of some of the other dropper binaries observed are given below, with the original Ukrainian on the left and the translated English (via Google) on the right: Original Name (Ukrainian) Notably, most of the other files we discovered did not come bundled with a decoy document and instead were simply the malware and dropper compiled with icons matching popular document viewing tools, such as Microsoft Word. Looking at the samples in our cluster we could see the themes of the dropper files were similar to our first sample. But a reasonable number of the samples were the new malware family, VERMIN. Quasar RAT is an open-source malware family which has been used in several other attack campaigns including criminal and espionage motivated attacks. The malware samples we discovered fell largely into two buckets: Quasar Rat and VERMIN. We quickly built up a picture of a campaign spanning just over 2 years with a modest C2 infrastructure:įigure 3 – Further analysis using AutoFocus & other data sources allows us to link up the activity discovered so far. Using the Maltego for AutoFocus transforms, we were then able to take the newly discovered samples and look at the C2 infrastructure in an attempt to see if we could link the samples together and in turn see if these C2’s were contacted by malware. Using AutoFocus, we were quickly able to find similar samples, by pivoting on the artifacts the malware created during a sandbox run, resulting in 7 other samples as shown in Figure 2.įigure 2 – Pivoting in AutoFocus makes it easy to find similar malware samples. The malware was notable for its rare use of HTTP encapsulated SOAP, an XML based protocol used for exchanging structured information, for command and control (C2), which is something not often seen in malware samples. The sample was an SFX exe which displayed a decoy document to users before continuing to execute the malware the hash of the file is given below. Our initial interest was piqued through a tweet from a fellow researcher who had identified some malware with an interesting theme relating to the Ukrainian Ministry of Defense as a lure.įigure 1 – The decoy document displayed to users when executing the initial malware sample This blog shows the links between the activity observed, a walkthrough of the analysis of the VERMIN malware, and IOCs for all activity discovered. Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN. Cursory investigation into the malware showed the attackers not only had flair for malware naming, but also for choosing interesting targets for their malware: nearly all the targeting we were able to uncover related to activity in Ukraine. NET Framework which the authors call "VERMIN" an ironic term for a RAT (Remote Access Tool). Palo Alto Networks Unit 42 has discovered a new malware family written using the Microsoft.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |