VERMIN is a remote access trojan that was developed using original code and appears to only be used by one threat actor. Samples of VERMIN obtained by researchers at Palo Alto Networks noted it was initially packed with the .NET obfuscation tool ConfuserEx. After the initial execution, VERMIN checks the installed language in the system, with the intent to terminate the malware operation if one of the following are not found: ru - Russian, uk - Ukraine, ru-ru - Russian, or uk-ua - Ukrainian. The process does not actually terminate if one of the languages is not identified, indicating the developer may not have fully tested the malware. After passing the language check, the malware decrypts an embedded resource and passes several hardcoded arguments to eh binary and performs a setup routine. The embedded resource contains all the main code for communications and functionality of the RAT. A decrypted resource is set to run as a scheduled task every 30 minutes, indefinitely.
Parameters supplied include:
The malware then starts its operations, collecting information on the affected machine including machine name, username, operating system name via WMI query, architecture of 64 vs. 32 bit, local IP address, and checks antivirus installed via WMI query. If an antivirus is detected, the malware does not deploy its keylogger function. The malware establishes a secure connection via a SOAP envelope to its C2 server, encrypting data sent with 3DES.
VERMIN supports the following commands, many of which require hands-on-keyboard style interaction:
- VERMIN custom malware used in Ukraine. (Palo Alto Networks)
- Palo Alto Networks provides technical analysis of VERMIN here.