RatVermin Spyware Targets Ukraine Gov Agencies

ukraine spear phishing cyberattack

Researchers are pinning a recent phishing campaign against Ukraine government agencies on the Luhansk People’s Republic, a proto-state in eastern Ukraine which declared independence in 2015.

Researchers have uncovered an ongoing spear-phishing campaign, targeting the Ukraine government and military with emails aiming to distribute the RatVermin malware, which carries out various info-gathering activities.

Researchers said that an infrastructure analysis of the attack indicates that the actors behind the intrusion activity may be associated with the Luhansk People’s Republic (also known as the Lugansk People’s Republic or LPR), a proto-state in eastern Ukraine which declared independence from Ukraine in 2014.

“This actor has likely been active since at least 2014, and its continuous targeting of the Ukrainian government suggests a cyber-espionage motivation,” John Hultquist, Ben Read, Oleg Bondarenko and Chi-en Shen, researchers with FireEye’s Threat Intelligence research group, said in a Tuesday analysis. “This is supported by the ties to the so-called LPR’s security service. While more evidence is needed for definitive attribution, this activity showcases the accessibility of competent cyber-espionage capabilities, even to sub-state actors.”

The campaign was recently spotted targeting government entities in Ukraine via emails containing malicious LNK files with PowerShell scripts, which then downloaded a second-stage payload.

Researchers said they spotted a sample email from the campaign sent Jan. 22 with the subject “SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD.”

The sender pretended to be from Armtrac, a U.K-based defense manufacturer, purporting to be selling de-mining machines. The email included an attachment called “Armtrac-Commercial.7z,” which contained two harmless Armtrac documents (which were real documents from the official Armtrac website) and one malicious LNK file (with a substituted Microsoft Word icon to trick the victim).

ukraine spear phishing

Click to Enlarge

The malicious LNK file when clicked on executes a PowerShell script, which then sends a command request to download a second-stage payload.

While the server was unreachable during analysis, researchers found that the network infrastructure was linked to domains previously connected to the RatVermin remote access tool (RAT). The RAT is a .NET backdoor discovered in 2018 that performs an array of malicious spy functions, including capturing screenshots, audio and more.

The so-called LPR proto-state, which is a land-locked territory in eastern Ukraine,  declared independence from Ukraine after the 2014 Ukrainian revolution. The conflict between the two is still going on as of April 2019.

The researchers made a link to LPR because the domain used by the command-and-control (C2) server in the campaign was registered under the same email (re2a1er1@yandex[.]ru) as several other domains – including one for the official website of the Ministry of State Security of the Luhansk People’s Republic.

Other domains linked to the email include several ones mimicking large news portals in Ukraine, one mimicking the site of V. B. Groysman (a politician who has been the Prime Minister of Ukraine since April 14, 2016) and one mimicking the largest weather website in the country.

It’s not the first time the Ukraine government has been targeted by a cyberattack – in April 2018, for instance, the Ukrainian Energy Ministry was hit by a ransomware attack, in what researchers believed was the work of amateurs rather than cyber-espionage efforts. Other efforts however have shown more skill.

“This latest activity is a continuation of spear-phishing that targeted the Ukrainian government as early as 2014,” researchers said. “The email is linked to activity that previously targeted the Ukrainian Government with RatVermin. Infrastructure analysis indicates the actors behind the intrusion activity may be associated with the so-called Luhansk People’s Republic (LPR).”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

Suggested articles

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.