A new Remote Access Tool/Trojan (RAT) dubbed “Vermin” has been observed being used by threat actors in combination with the “Quasar” RAT in a campaign that dates back to late 2015, according to Palo Alto Unit 42 researchers. The Vermin RAT is being distributed via malicious Self Extracting (SFX) executables, some of which will display documents that are themed after the Ukrainian Ministry of Defense as Vermin before continuing to execute the RAT.
Vermin is capable of stealing various information from an infected machine such as architecture, OS name, local IP address, machine name, and username. Researchers note that Vermin is also capable of installing a keylogger if the malware does not detect an antivirus software on the machine.
Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by Threat Stream users here to identify potential malicious activity.