Hackers target Ukrainian government agencies in systematic cyberespionage campaign

• Hackers are using three remote access tools called Quasar, Sobaken and Vermin.
• The cyberespionage campaign was first detected in 2017.

Ukraine’s government agencies have become the target of a lesser-known hacker group, security researchers discovered. The espionage campaign was first detected in 2017, but is believed to have begun as far back as 2015. The hacker group has already targeted hundreds of victims from various government organizations.

The hackers were found using three different variants of remote access tools (RATs) called Quasar, Sobaken and Vermin - all of which have been actively used against different targets simultaneously. According to security researchers at ESET, the three RATs share the same infrastructure and connect to the same C2 server.

Quasar, Sobaken and Vermin

Quasar is an open-source RAT that is readily available on GitHub and has been used by the hackers as far back in October 2015. Sobaken is a heavily modified version of Quasar with fewer functionalities to make the executable smaller. However, it does come with a fewanti-sandbox and other evasion techniques.

Meanwhile, Vermin is a full-featured backdoor capable of stealing credentials, keylogging and recording audio.

All three malware variants are delivered in the same way - a dropper is used to drop them into a subfolder named after a legitimate firm, such as Adobe, Microsoft or Intel.

“Employing multiple malware families, as well as various infection mechanisms – including common social engineering techniques but also not-so-common steganography – over the past three years, could be explained by the attackers simply experimenting with various techniques and malware, or it may suggest operations by multiple subgroups,” ESET researchers said in a report.

The malware strains are designed to only execute on targeted machines. If it detects that a Russian or Ukrainian keyboard isn’t installed on the system, it simply removes itself.

The malware strains also terminate themselves if the IP address of the targeted system is located outside Russian or Ukraine. They also fail to run on computers that are essentially malware analysis systems.

“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine,” ESET researchers wrote in a blog. “However, they have proved that with clever social engineering tricks, cyber-espionage attacks can succeed even without using sophisticated malware.

“This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place.”