RATVERMIN

RATVERMIN is a threatening spear-phishing campaign observed in early 2019. The RATVERMIN campaign main targets were government offices in Ukraine, which makes it possible that RATVERMIN is connected to state-sponsored attacks by an opposing country or government. The RATVERMIN campaign was designed to deliver a threatening payload contained in a corrupted LNK file that installed the RATVERMIN RAT or Remote Access Trojan. The RATVERMIN campaign has been used to deliver the RATVERMIN Trojan, as well as ransomware based on the HiddenTear ransomware platform. Regardless of the payload, both the RATVERMIN campaign and the RATVERMIN malware are considered threatening especially, and computer users are advised to take steps to protect their computer and files from RATVERMIN and other malware campaigns. Some possible steps include taking precautions against corrupted email file attachments that could be used to deliver RATVERMIN and installing and using an updated security program.

The RATVERMIN Campaign and Malware Used in These Attacks

While the RATVERMIN campaign itself seemed to have begun in late 2018 and was studied by PC security researchers in detail in early 2019, there are aspects of the RATVERMIN attack that make it obvious that the group responsible for the RATVERMIN attacks has been active since at least 2014, focusing on attacking Ukrainian targets the entire time as their primary targets. Throughout this time, malware researchers have observed an intensification of these attacks, as well as the growing sophistication of how these attacks function. As recently as 2018, the RATVERMIN campaigns used executable files and self-extracting archives to carry out the attack. However, the latest attacks of this type are using more sophisticated methods, such as corrupted LNK files. The RATVERMIN malware itself has not been observed in other attacks.

The Social Engineering Campaign Used in the RATVERMIN Attacks

The recent RATVERMIN attacks observed by PC security researchers used messages designed to look like Armtrac, an arms manufacturer located in the United Kingdom, sent them. These were part of a variety of phishing emails that had the intent of tricking the recipient into opening a threatening malware dropper script running in Powershell and disguised as an LNK file with a fake PDF extension and a Microsoft Word document. The corrupted file attachments were taken from the official Armtrac website and were packed into an archive, to further trick victims into believing that the attachments were legitimate and then infecting their computer with RATVERMIN malware.

Backdoor Components Linked to the RATVERMIN Attack

RATVERMIN establishes a backdoor into the infected computer. These Trojans are generally known as Remote Access Tools or RATs and are designed to allow criminals to take over a computer and control it from a remote location. The RATVERMIN attack, in general, were used to gather data from the infected computer such as logging keystrokes and copying data from its clipboard. However, the RATVERMIN RAT has another potential since its modules allow criminals to run numerous attacks on the victim's computer. Using RATVERMIN, criminals can take over the victim's computer, collect data, delete files or install other malware. They can even use the infected computer's peripherals, for example using the affected computer's microphone or camera to spy on its surroundings. Considering the possible political background for RATVERMIN attacks, it is possible that the RATVERMIN campaign is part of a larger espionage campaign specifically targeting Ukraine. This happens in the context of tensions between Ukraine and Russia, as well as a fraught political landscape and war involving this country.