Casa > cibernético Notícias > Vermin Complex Malware and Rat Set Against Ukraine
CYBER NEWS

Vermes Complexo Malware e Conjunto do Rato contra a Ucrânia

Vermin virus image

Security analysts detected a new attack campaign that is focused on Ukraine carrying a dangerous new weapon — the Vermin malware. According to the released reports this is a heavily updated version of the Quasar Trojan that has been further customized with custom code. The dangerous code allows the criminals to overtake full control of the compromised devices.

The Vermin Malware Has Been Unleashed

A recent attack campaign against devices located in Ukraine has led to the discovery of a dangerous new malware called Vermin. The researchers that detected the infections point out that it is a fork of the Quasar Trojan that contains a lot of code improvements and custom additions. This makes it a very formidable weapon because of the fact that it is not directly associated with Quasar’s behavior patterns and original malware engine. The focused attack that is set against the country is linked to two case scenarios under consideration. The first one is related to the fact that it is possible that the hacker operators have pre-configured the attack using a ready-made list of targets. The second proposal is attributed to the fact that the engine can extract detailed information about the regional settings. Using the acquired information the malware engine can activate itself if it deems that the compromised devices are viable. In other cases it can delete itself to avoid detection.

The attacks are mainly initiated through messages distributed through redes sociais, one of the main tactics was to utilize various fake Twitter profiles and link to documentos infectados. They can be of different type including: documentos de texto rico, apresentações e planilhas. Os criminosos por trás disso usam táticas de engenharia social, that coerce the victims into interacting with the files. They are made to appear as documents made by the country’s Ministry of Defense. The files contain a decoy self-extracting executable which activates the malware code that leads to the infections.

Story relacionado: Malware Trends 2018: Como é a ameaça Paisagem Shaping?

Vermin Malware Infiltration Tactics — The Malware Process

Once the infections have begun a conexão segura com um servidor controlado por hacker is established. The interesting thing is that the operators use the SOAP protocol instead of the common HTTP. It is mainly used to exchange structured information and one of the reasons why it has been preferred is the fact that automated security software usually do not check this protocol as it may not be included in the standard signatures. A detailed analysis shows that the ongoing campaigns feature different customized strains. All of them are constructed using variable parameters which can make removal difficult in the case that multiple infections target the same network.

The first checks that are made after the malware infects are related to the regional settings. The malware engine is able to create a detailed profile of the victim’s devices. This includes both métricas anônimas e dados pessoalmente identificáveis. The first category is related to hardware information and system variables. It is mainly used by the hacker operators to judge how effective the attacks are. The second category is made up of data that can directly expose the victim’s identity. It consists of strings that are related to their name, endereço, número de telefone, geolocalização, preferências e credenciais da conta.

The specialists indicate that the Vermin code looks out for four specific input languages: ru – russo, Reino Unido – ucraniano, ru-ruRussian and uk-ua – ucraniano. If any of the checks passes the infection continues further. The follow-up steps are related to the download of additional malware components. They are in encrypted form and are decrypted on-the-fly as well as executed soon after that. During this initialization phase the hackers can enable a proteção discrição that can bypass any detected security services. This includes sandboxes, virtual machines and debugging environments. The malware engine can bypass or remove them according to the built-in instructions. In some cases if it finds that it is unable to do so it can delete itself to avoid detection.

In addition to everything else the analysts uncovered that the threat installs a keylogger. It is embedded into the various malware processes and disguised as an Adobe Printer service. The process can collect various pieces of information — all keystrokes, mouse movement or individual interactions as defined by the operators. The collected information is encrypted and then stored in a folder location:

%appdata%\Microsoft\Proof\Settings.{ED7BA470-8E54-465E-825C-99712043E01C}\Profiles\.

Each individual log file is recorded using the following format: “{0:dd-MM-yyyy}.TXT".

Vermin Malware Capabilities

Once the Vermin malware has access to the computer and has infiltrated the system processes by hooking up to them and creating its own threads the modules allow the criminals to launch a variety of commands. This is done using the special secured network connection via the quoted SOAP protocol. The full list includes the following options:

  • ArchiveAndSplit — Archive Target Files and Split Them in Parts
  • CancelDownloadFile — Cancel A Running File Transfer
  • CancelUploadFile — Cancel a Running Upload Process
  • CheckIfProcessIsRunning — Checks If a Target Process is Running.
  • CheckIfTaskIsRunning — Queries the System for a Specific Running Process.
  • CreateFolder — Makes a New Folder in The Specified Location
  • DeleteFiles — Removes a Target File.
  • DeleteFolder — Commands the Malware to Delete a Set Folder.
  • ⇬ Fazer download do arquivo — Retrieves a File from a Remote Location.
  • GetMonitors — Checks for any Apps that may be monitoring the system.
  • GetProcesses — Retrieves the list of Running Processes.
  • KillProcess — Stops Running Processes.
  • ReadDirectory — Reads The Contents of The Target Directory.
  • RenameFile — Rename Target Files.
  • RunKeyLogger — Executes the Keylogger Module.
  • SetMicVolume — Adjusts The Microphone Volume.
  • ShellExec — Executes Provided Commands.
  • StartAudioCapture — Enables The Audio Surveillance.
  • StartCaptureScreen — Enables The Screenshot Module.
  • StopAudioCapture — Disables The Audio Surveillance.
  • StopCaptureScreen — Disables The Screenshot Module.
  • UpdateBot — Updates the Running Vermin virus module.
  • UploadFile — Transfers a File to The Command Server.

The following domains have been found to be related to the attack campaigns so far:

akamaicdn[.]ru
cdnakamai[.]ru
www.akamaicdn[.]ru
www.akamainet066[.]informações
www.akamainet023[.]informações
www.akamainet021[.]informações
akamainet023[.]informações
akamainet022[.]informações
akamainet021[.]informações
www.akamainet022[.]informações
akamainet066[.]informações
akamainet024[.]informações
www.cdnakamai[.]ru
notifymail[.]ru
www.notifymail[.]ru
mailukr[.]líquido
tech-adobe.dyndns[.]biz
www.mailukr[.]líquido
185.158.153[.]222
94.158.47[.]228
195.78.105[.]23
94.158.46[.]251
188.227.75[.]189
212.116.121[.]46
185.125.46[.]24
5.200.53[.]181

Vermin Virus Removal

The complex infection tactics that are associated with the Vermin virus shows that it can only be removed using a quality anti-spyware solution. Once the infections have taken place a very thorough system analysis follows that gives the malware engine detailed information on how the compromised machine is configured. This allows the Trojan to affect all major components of the operating system. As such the hacker operators can seal sensitive files, spy on the victims and use the harvested data for blackmailing and fraud purposes.

We highly recommend all victims to run a free system scan in order to make sure that they are safe using a trusted security application. The solution is also capable of safeguarding the computers from any incoming attacks.

Baixar

Remoção de Malware Ferramenta


digitalizador Spy Hunter só irá detectar a ameaça. Se você quiser a ameaça de ser removido automaticamente, você precisa comprar a versão completa da ferramenta anti-malware.Saiba Mais Sobre SpyHunter Anti-Malware Ferramenta / Como desinstalar o SpyHunter

Martin Beltov

Martin formou-se na publicação da Universidade de Sofia. Como a segurança cibernética entusiasta ele gosta de escrever sobre as ameaças mais recentes e mecanismos de invasão.

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...