Cyberespionage Campaign in Ukraine Uses Free and Custom RATs

Security researchers have been tracking a sustained cyberespionage campaign against Ukrainian government institutions that uses a combination of free and custom-made remote access Trojans (RATs).

The malware programs involved in the years-long campaign are Quasar RAT, Sobaken RAT and Vermin and have been documented before, either as standalone threats or together. However, security researchers from ESET have now established clear links between the attacks in Ukraine that use these tools, which could suggest that a single group is behind them.

“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time,” the ESET researchers said in a paper. “We were able to trace attacker activity back to October 2015; however, it is possible that the attackers have been active even longer.”

Quasar RAT is the oldest and most well-known of the three programs because it is open source and available on GitHub. Sobaken is a heavily modified and improved version of Quasar, while Vermin is a custom-made backdoor that first appeared sometime in 2016.

All three programs are written in .NET and are actively used by this group of attackers against different targets at the same time. ESET has identified a few hundred victims in different organizations in Ukraine and established that the malware samples associated with this campaign share parts of their infrastructure and command-and-control servers.

Vermin, which is the newest and most sophisticated of the three RATs, supports 24 main commands and has several optional components that add functionality such as audio recording, keylogging and password stealing.

The attackers have implemented sandbox detection methods and obfuscate their malware’s code using .NET code protection tools such as .NET Reactor or ConfuserEx. Their RATs refuse to run on systems that don’t have Russian or Ukrainian keyboard layouts installed or an IP address from those countries.

What’s interesting about this group is its success despite an apparent lack of sophistication. The distribution campaigns use basic right-to-left text override tricks to obscure the real extension of malicious email attachments, self-extracting RAR archives and, in rare cases, Word documents carrying known exploits.

“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine,” the ESET researchers said in a blog post. “However, they have proved that with clever social engineering tricks, cyberespionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place.”

Creator of Remote Administration Tool Admits It Was Really a Trojan

A Kentucky man admitted to creating and distributing a remote access Trojan called LuminosityLink that was used by thousands of users from around the world to access other people’s computers without authorization.

According to the guilty plea, the man, named Colton Grubbs, marketed LuminosityLink as a tool for system administrators and sold it to more than 6,000 customers for $39.99.

Developing and selling remote administration tools is not illegal. However, Grubbs also used the handle “KFC Watermelon” to advertise the program on, a well-known cybercriminal forum, and actively assisted buyers to access computers without authorization.

“Defendant claimed that LuminosityLink was a legitimate tool for systems administrators, but knew that many customers were using his software to remotely access and control computers without their victims’ knowledge or permission,” the plea agreement reads. “Defendant’s marketing emphasized these malicious features of LuminosityLink, including that it could be remotely installed without notification, record the keys that a victim pressed on their keyboard, surveil victims using their computer cameras and microphones, view and download the computer’s files, steal names and passwords used to access websites, mine and earn virtual currency using victim computers and electricity, use victim computers to launch DDoS attacks against other computers, and prevent anti-malware software from detecting and removing LuminosityLink.”

The practice of Trojan developers marketing their creations as legitimate tools to avoid responsibility for how they’re used is not new. In February, Taylor Huddleston, 27, of Hot Springs, Arkansas, was sentenced to 33 months in prison for creating a RAT called NanoCore. He, too, initially claimed the program was a legitimate remote administration tool, but later admitted that he marketed it on Hack Forums and knew that some buyers intended to use it for malicious purposes.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin