VERMIN

VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. [1]

ID: S0257
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

VERMIN uses HTTP for C2 communications.[1]

Enterprise T1560 Archive Collected Data

VERMIN encrypts the collected files using 3-DES.[1]

Enterprise T1123 Audio Capture

VERMIN can perform audio capture.[1]

Enterprise T1119 Automated Collection

VERMIN saves each collected file with the automatically generated format {{0:dd-MM-yyyy}}.txt .[1]

Enterprise T1115 Clipboard Data

VERMIN collects data stored in the clipboard.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

VERMIN can delete files on the victim’s machine.[1]

Enterprise T1105 Ingress Tool Transfer

VERMIN can download and upload files to the victim's machine.[1]

Enterprise T1056 .001 Input Capture: Keylogging

VERMIN collects keystrokes from the victim machine.[1]

Enterprise T1027 Obfuscated Files or Information

VERMIN is obfuscated using the obfuscation tool called ConfuserEx.[1]

.002 Software Packing

VERMIN is initially packed.[1]

Enterprise T1057 Process Discovery

VERMIN can get a list of the processes and running tasks on the system.[1]

Enterprise T1113 Screen Capture

VERMIN can perform screen captures of the victim’s machine.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

VERMIN uses WMI to check for anti-virus software installed on the system.[1]

Enterprise T1082 System Information Discovery

VERMIN collects the OS name, machine name, and architecture information.[1]

Enterprise T1016 System Network Configuration Discovery

VERMIN gathers the local IP address.[1]

Enterprise T1033 System Owner/User Discovery

VERMIN gathers the username from the victim’s machine.[1]

References