An ongoing espionage campaign aimed at Ukraine is leveraging three different remote access Trojans (RATs), ESET security researchers warn.
The attacks apparently started in late 2015, but the first
report on them emerged in January 2018. ESET says they have been tracking the campaign since mid-2017, and that the attacks have been mainly focused on Ukrainian government institutions, with a few hundred victims in different organizations.
The actors behind this cyber-espionage campaign have been using multiple stealthy RATs to exfiltrate sensitive documents, namely Quasar RAT, Sobaken RAT, and a custom-made RAT called Vermin.
The attackers, which appear to lack advanced skills and access to zero-day vulnerabilities, are using emails and social engineering to distribute the malware. Some emails carried Word documents attempting to exploit
CVE-2017-0199, a vulnerability patched in April 2017.
A dropper is usually used to deliver the final payload (which masquerades as software form Adobe, Intel or Microsoft) to the %APPDATA% folder and to achieve persistence via a scheduled task that executes the malware every 10 minutes.
Steganography was also employed to trick content filtering, accordnig to a whitepaper (
PDF) published by ESET.
