A cyber espionage campaign is targeting the Ukrainian government with custom-built malware which creates a backdoor into systems for stealing data - including login credentials and audio recordings of surroundings.
The remote access trojan is called Vermin and is delivered alongside two other strains of malware - Sobaken RAT and Quasar RAT - the latter of which is an open source form of malware freely available online.
The three forms of malware have attacked hundreds of different victims in Ukraine, but appear to share infrastructure and connect to the same command and control servers. The campaign has been detailed by researchers at security company ESET[1], who say it has been active since at least October 2015.
Detections of Vermin, Quadar and Sobaken Image: ESET
Vermin is the most potent of the three forms of malware and has appears to have received updates from its malicious authors.
In addition to carrying out the usual tasks associated with trojans, such as monitoring what happens on screen, downloading additional payloads and uploading files, it also contains a set of additional commands for the purpose of fully compromising the victim's machine.
They include the capacity to make audio recording of sound near the victim's computer, a password stealer used to extract passwords from the Opera and Chrome browsers, and a keylogger.
Vermin - first identified by Palo Alto Networks in January[2] and since updated - also has the ability to steal files from a USB drive. The malware will monitor the drive and steal files that match the chosen filter of the attackers, which for the most part, appears to documents.
See also: What is malware? Everything you need to know about viruses, trojans