RatVermin info-gathering malware hits Ukraine government, military

A spear-phishing campaign is on the run, so have researchers found, and it targets the military as well as government of Ukraine by dispatching e-mails with the purpose of spreading RatVermin a malicious program that's designed for gathering information of various kinds.

The Threat Intelligence Team at FireEye is the discoverer of the most recent spear-phishing electronic mail during early 2019 that contained one harmful LNK file having within it PowerShell script for pulling down RatVermin's 2nd-phase payload that its CnC (command-and-control) server provides. Ukraine's military departments were the recipient of the e-mail that had enticing content for attempting at selling de-mining machines.

A study of the assault's infrastructure by the researchers suggested that those responsible for the intrusion possibly were tied to the Luhansk People's Republic (its other name LPR or Lugansk People's Republic) which is one proto-state inside Ukraine's eastern region that called themselves independent via segregation from Ukraine back during 2014.

Posing as representative of defense manufacturer Armtrac based in UK, the e-mail sender supposedly sold de-mining machines. A file attached in the name "Armtrac-Commercial.7z" inside the e-mail carried 2 innocuous Armtrac documents but with a malevolent LNK file that showed itself as Microsoft Word label for duping victims. This malevolent LNK file if tried to view ran one PowerShell script that subsequently asked for a command for pulling down the 2nd-stage payload.

The ongoing spear-phishing campaign has been continuing from 2014 when it first hit the government of Ukraine with the RatVermin malware. Researchers found the perpetrators of the latest attack to have connection with Luhansk People's Republic. Threatpost.com posted this, April 16, 2019. As accords to FireEye, LPR as the Ukraine legislation portrays is a "temporarily occupied territory," while its rulers are a Russian Federation's occupying administration.

Evidently, when researchers were doing the attack's assessment, the server happened to be inaccessible, but they discovered the network structure as connected with domains which were earlier linked with the RatVermin RAT the abbreviation for remote access tool. This particular remote access tool is actually one .NET backdoor uncovered last year which carries out many sinister espionage activities like seizing audio, screenshots etc.

» SPAMfighter News - 4/20/2019