FIRMACHAGENT (Trojan) – Malware

Overview

On August 19, 2024, CERT-UA issued a cybersecurity alert (CERT-UA#10742) warning of a resurgence of the UAC-0020 hacking group, also known as Vermin, leveraging a new offensive tool called FIRMACHAGENT in their ongoing campaign targeting Ukraine. This attack follows their SickSync campaign from earlier in the year, in which they utilized the SPECTR malware to compromise Ukrainian military and governmental entities. The latest attack uses phishing emails with a deceptive subject line related to prisoners of war at the Kursk front during World War II, a topic that the attackers exploit for emotional manipulation.

Targets

Public Adminsitration

How they operate

Infection and Initial Execution

The operation of FIRMACHAGENT begins with a phishing attack, where attackers craft deceptive emails containing malicious attachments or links. These emails often feature social engineering tactics designed to prey on the recipient’s curiosity or urgency, prompting them to open an attachment or click on a link. The attachment may be a Compiled HTML Help (CHM) file, which is commonly used in malware distribution due to its ability to execute embedded code without raising alarms. When the user interacts with the file, it triggers a chain of events, starting with the execution of an obfuscated PowerShell script embedded within the CHM file. This script is designed to bypass traditional security measures by obfuscating its commands, making detection more difficult for security software.

Once executed, the PowerShell script performs a series of actions, including downloading additional components and payloads from remote servers. One of the primary goals at this stage is to download and install the core FIRMACHAGENT malware, which enables further exploitation of the compromised system. The malware is often configured to communicate with its C2 server, facilitating the next phase of the attack.

Persistence Mechanisms

To maintain long-term access to the compromised system, FIRMACHAGENT utilizes multiple persistence techniques. One of the most common methods involves the creation of scheduled tasks that allow the malware to automatically execute at regular intervals. By setting up these tasks, FIRMACHAGENT ensures that it remains active on the system, even after reboots or manual removals. These scheduled tasks are often set to trigger the execution of additional malicious scripts or malware components, reinforcing the malware’s foothold.

In addition to scheduled tasks, FIRMACHAGENT may also attempt to escalate its privileges. Many attacks, including those leveraging PowerShell, require elevated privileges to execute successfully. In some cases, the malware may attempt to exploit vulnerabilities or abuse system control mechanisms to gain higher access levels, enabling it to interact with more sensitive parts of the operating system.

Evasion and Obfuscation

FIRMACHAGENT employs several techniques to evade detection by security software. One of the key methods is the use of obfuscation, particularly in its PowerShell scripts. Obfuscation is the process of modifying the script in such a way that its intent remains hidden from automated analysis tools. This may include encoding commands, using non-standard syntax, or employing techniques like control flow obfuscation to confuse static analysis tools. By making the malicious code difficult to analyze, FIRMACHAGENT significantly reduces the chances of detection during early stages of execution.

Another evasion tactic involves the use of legitimate system binaries to proxy the execution of malicious code. This is commonly known as “Living off the Land” (LOTL) and involves using existing system tools—such as Windows Management Instrumentation (WMI) or CHM files—to execute malicious commands without triggering alarms from traditional antivirus or endpoint detection systems.

Data Exfiltration

Once the malware has established its presence and escalated privileges, its next objective is typically to exfiltrate sensitive data. FIRMACHAGENT is equipped with capabilities to steal documents, credentials, and other sensitive information from the compromised system. This data is then uploaded to the attacker’s C2 server for further use, such as intelligence gathering or exploitation. The communication between the malware and the C2 server often uses common web protocols like HTTP or HTTPS, which are harder to detect due to their widespread usage in legitimate web traffic. By blending in with regular internet traffic, FIRMACHAGENT can exfiltrate data without raising suspicion from network monitoring tools.

The exfiltration process is often facilitated by other malware components that have been downloaded onto the infected system. These components may be specifically designed to handle different forms of data extraction, such as scraping web browsers for stored credentials or capturing screenshots for intelligence purposes. FIRMACHAGENT’s ability to operate silently and efficiently makes it an effective tool for cyber espionage and data theft.

MITRE Tactics and Techniques

Initial Access (TA0001)

Phishing (T1566): FIRMACHAGENT is often delivered through phishing emails, where the attacker uses a social engineering lure to convince the victim to open malicious attachments or click on harmful links. This is commonly done using a spear-phishing attachment or link that delivers the malware to the victim’s system.

Execution (TA0002)

User Execution (T1204): The execution of FIRMACHAGENT is triggered when the victim opens a malicious attachment, such as a CHM (Compiled HTML Help) file, or interacts with a deceptive link. This technique involves user interaction to execute the payload.

Command and Scripting Interpreter (T1059): FIRMACHAGENT executes malicious PowerShell commands and other scripts on the victim’s machine to carry out various malicious actions, such as downloading additional components or communicating with C2 servers.

Persistence (TA0003)

Scheduled Task/Job (T1053.005): FIRMACHAGENT creates and manages scheduled tasks to ensure persistence on infected systems. This allows the malware to execute at specified intervals, maintaining access over time.

Privilege Escalation (TA0004)

Abuse Elevation Control Mechanism (T1548): While not explicitly detailed, tools like FIRMACHAGENT often require privilege escalation to execute with higher privileges, especially when installing other malware or interacting with system-level components.

Defense Evasion (TA0005)

System Binary Proxy Execution (T1218.001): FIRMACHAGENT utilizes compiled HTML files (such as CHM files) to bypass traditional security defenses. These files are often used to proxy the execution of malicious payloads, exploiting the system’s legitimate tools to hide malicious activity.

Obfuscated Files or Information (T1027): The malware uses obfuscated PowerShell scripts to avoid detection by traditional security solutions, hiding its actions and payloads.

Command and Control (TA0011)

Ingress Tool Transfer (T1105): FIRMACHAGENT downloads additional payloads or configuration data from remote servers to continue its operation.

Application Layer Protocol: Web Protocols (T1071.001): The malware communicates with its command-and-control (C2) server using web protocols, such as HTTP/HTTPS, which are commonly used to evade detection by blending in with regular internet traffic.

Exfiltration (TA0010)

Exfiltration Over C2 Channel (T1041): FIRMACHAGENT is designed to upload stolen data to a C2 server, facilitating the exfiltration of sensitive information like documents, credentials, and other valuable data from the compromised system.

References:

• UAC-0020 (Vermin) Activity Detection: A New Phishing Attack Abusing the Topic of Prisoners of War at the Kursk Front and Using FIRMACHAGENT Malware