⚠️ Overview

Vermin is a custom backdoor trojan first documented by ESET researchers in January 2020, attributed to the Russian-speaking threat group tracked as UAC-0020 (also known as Vermin Group or TA471). It falls under the category of remote access trojan (RAT) employed primarily for cyber espionage against Ukrainian government, military, and critical infrastructure entities.

🔧 Technical Capabilities

Vermin gains initial access through spear-phishing emails carrying archive attachments (ZIP/RAR) containing a malicious LNK file that executes a PowerShell script to download the payload. It uses the Telegram Bot API over HTTPS as its command-and-control (C2) channel, enabling operators to issue commands via Telegram messages. The malware achieves persistence by creating a scheduled task (MITRE ATT&CK T1053.005) and employs process hollowing (T1055.012) to inject into legitimate processes like explorer.exe or svchost.exe. For evasion, it performs sandbox detection by checking for virtual machine artifacts (e.g., VMWare, VirtualBox) and delays execution to avoid automated analysis. Data exfiltration occurs by compressing stolen files into password-protected archives and uploading them to Telegram channels (T1041).

📜 History & Notable Incidents

Vermin was first observed in active campaigns as early as 2019, with a major uptick in 2020–2021 targeting Ukrainian government agencies, including the National Security and Defense Council and the Ministry of Defense. CERT-UA (CSIRT-NBU) issued multiple advisories (e.g., UAC-0020 alerts in 2021 and 2022) documenting campaigns that used compromised email accounts to distribute LNK-based payloads. No specific CVEs are associated with Vermin, as it relies on social engineering rather than exploiting software vulnerabilities.

🔍 Detection Indicators

Known file hashes from ESET reports include SHA-256 hashes of initial LNK files and final backdoor executables (e.g., f4c8a1b0e2d9c7f3a6b5d4e8f2a7c1b0 placeholder — refer to ESET’s technical report for verified IOCs). Behavioral indicators include creation of scheduled tasks named “WindowsUpdate” or “GoogleUpdate”, outbound HTTPS connections to api.telegram.org, and presence of the mutex “VerminMutex”. The User-Agent string used by the malware is typically “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36” followed by a fixed Telegram Bot token.

☠️ Risk & Impact

Vermin enables full remote control of infected machines, leading to theft of sensitive documents, credentials, and system information. Targeting of Ukrainian state institutions has caused compromise of diplomatic communications, military planning documents, and critical infrastructure operation data, contributing to broader geopolitical cyber conflict. The malware’s persistent access and stealthy exfiltration via Telegram pose significant data loss risks for governmental and defense sectors.

🛡️ Mitigation

Defenses should include user awareness training against spear-phishing with LNK attachments, strict email attachment filtering for archive files, and network monitoring for anomalous outbound connections to Telegram API endpoints. ESET provides detection rules (e.g., “Vermin” signatures in their Endpoint Security product) and Microsoft Defender for Endpoint can flag LNK-based PowerShell execution (T1059.001).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.