Vermin RAT

Vermin RAT (a.k.a. VERMIN) is a custom-made Remote Access Tool that is used in targeted attacks on systems used by the Ukrainian Ministry of Defense. The Vermin RAT malware has been used in campaigns since 2015 and often in the company of Quasar RAT. The payload is delivered to officials via phishing emails that may be sent from spoofed email accounts. Computer security researchers have reported that the threat actors have used fake Microsoft Word documents as droppers to gain access to remote computers. The fake documents have been reported to feature names like:

'Ваш_ сертиф_кати для отримання безоплатно_ вторинно_ допомоги.exe' / 'Your certificate for free_receive help.exe'
'доповідь2.exe' / 'report2.exe'
'доповідь забезпечення паливом 08.06.17.exe' / 'fuel supply report 08.06.17.exe'
'lg_svet_smeta2016-2017cod.exe'
'lugansk_2273_21.04.2017.exe'
'Отчет-районы_2кв-л-2016.exe' / 'Report-areas_2kv-l-2016.exe'

Once the document is loaded, the Vermin RAT is dropped to the AppData directory under a folder that is likely to have a name associated with a legitimate software publisher (Intel Corp., Abobe Systems Inc., Microsoft Corp.). The Vermin RAT malware is written in .NET programming language and features code protection from commercial grade tools like .NET Reactor and open-source alternatives like ConfuserEx. These code protection mechanisms allow it to evade detection and hinder heuristic analysis. Also, the malware adds a scheduled task in Windows so that it is loaded every 10 minutes and ensure persistence. You may be interested to know that Vermin RAT scans the infected machine for active keyboard layouts and it terminates itself if it has not detected the following keyboard configurations:

• ru – Russian
• uk – Ukrainian
• ru-ru – Russian
• uk-ua – Ukrainian

The Vermin RAT is used to exfiltrate valuable data and record communications on infected machines. The Vermin RAT includes a keylogger that is installed when the malware does not find blacklisted AV tools. In case the Vermin RAT finds a particular AV product it does not run a keylogger. Vermin RAT is a classical Backdoor Trojan that allows remote users to exert control over an infected machine, take screenshots, copy saved data, install and remove programs from the compromised device. Vermin RAT is classified as an advanced tool for espionage that may be used by state-sponsored threat actors and malware operators looking to hijack administrator accounts on a hosting service.

The Vermin RAT is designed to remain stealthy on infected systems, and compromised users might not notice particularly notable symptoms. The threat actors may try to send emails from your email client (Thunderbird and alternatives) and open ports in your Firewall. It is recommended to remove the Vermin RAT malware using a credible cybersecurity solution. AV engines detect and remove objects related to Vermin RAT if they are marked with the following names:

FileRepMetagen [Malware]
Gen:Variant.Razy.138702
HEUR/AGEN.1002342
MSIL/Spy.Agent.BBB
Spyware ( 00510b031 )
TROJ_INJECTO.XXUAK
Trojan.GenericKD.12464169
Trojan.MSIL.Spy.Vermin
Trojan.Win32.S.Agent.549030
Trojan.Win32.S.Razy.356352.DR
W32/Trojan.ZXTP-8607
rojanSpy.Agent!0KRwmUw2M+s