Pro-Russia group Vermin targets Ukraine with a new malware family

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of new phishing attacks, carried out by the Vermin group, distributing a malware.

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign conducted by the Vermin group that distributed malware.

Vermin is a pro-Russian hacker group, also tracked as UAC-0020, that operates under the control of the law enforcement agencies of the temporarily occupied Luhansk.

The threat actor is using lures related to Ukraine’s offensive across the border.

The phishing messages include images of alleged prisoners of war from the Kursk region, the content is crafted to trick the recipients into clicking on a link pointing to a ZIP archive (“spysok_kursk.zi”).

vermin APT CERT-UA

The ZIP archive contains a Microsoft Compiled HTML Help (CHM) file that includes a JavaScript code that executes an obfuscated PowerShell script.

The Vermin group attempted to deploy two malicious codes in this campaign, the previously known Spectr spyware, and a new malware family dubbed Firmachagent. In June 2024, Ukraine CERT-UA warned of cyber attacks targeting defense forces with SPECTR malware as part of another cyber espionage campaign dubbed SickSync.

“The PowerShell code is designed to download components of the SPECTR malware (which steals documents, screenshots, browser data, etc.) and a new program called FIRMACHAGENT (“chrome_updater.dll,” primarily tasked with uploading stolen data to a command server).” reads the report published by CERT-UA. “It also creates scheduled tasks to run the orchestrator “IDCLIPNET_x86.dll” (which manages SPECTR plugins) and FIRMACHAGENT.”

CERT-UA recommends reducing the likelihood of this cyber threat by minimizing the attack surface. This can be done by restricting user account privileges (removing them from the “Administrators” group) and implementing policies like SRP/AppLocker to prevent users from executing .CHM files and powershell.exe.

CERT-UA’s report also includes indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Vermin)

文 » A