VERMIN

Vermin is a sophisticated malware attributed to a pro-Russian hacker group, also known as UAC-0020, that operates under the control of law enforcement agencies in the temporarily occupied Luhansk. The Computer Emergency Response Team of Ukraine (CERT-UA) has raised alarms about a new phishing campaign conducted by the Vermin group which distributes this malicious software. The malware can infiltrate systems via suspicious downloads, emails, or websites and subsequently cause significant harm, including personal information theft, operational disruption, or data ransom. The Vermin group has been active since late 2015, using both Quasar RAT and VERMIN malware in their operations. Recent attacks targeted the Defense Forces of Ukraine using the SPECTR WPS in combination with a legitimate SyncThing in a campaign dubbed "SickSync". During this campaign, they attempted to deploy two types of malicious code: the previously known Spectr spyware and a newly identified malware family called Firmachagent. This activity strongly suggests that the VERMIN malware is used exclusively by this threat actor. In addition to its standard operational behavior, Vermin has capabilities to collect all keystrokes and clipboard data, encrypting it before storage. It's been at the center of some of the world's largest data breaches, notably hacking Snowflake, a major data warehousing company. Despite the scale and severity of these attacks, the modest size of the campaigns indicates a highly focused and potentially state-backed operation. The CERT-UA continues to monitor and warn against the activities of the Vermin group, emphasizing the need for heightened cybersecurity measures.