Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

FIRMACHAGENT (Trojan) – Malware

February 16, 2025
Reading Time: 5 mins read
in Malware
FIRMACHAGENT (Trojan) – Malware

FIRMACHAGENT

Type of Malware

Trojan

Country of Origin

Russia

Targeted Countries

Ukraine

Date of Initial Activity

2024

Associated Groups

UAC-0200 (Vermin)

Motivation

Cyberwarfare
Data Theft

Attack Vectors

Phishing

Targeted Systems

Windows

Type of Information Stolen

Browser Data
Communication Data
Login credentials
System Information

Overview

On August 19, 2024, CERT-UA issued a cybersecurity alert (CERT-UA#10742) warning of a resurgence of the UAC-0020 hacking group, also known as Vermin, leveraging a new offensive tool called FIRMACHAGENT in their ongoing campaign targeting Ukraine. This attack follows their SickSync campaign from earlier in the year, in which they utilized the SPECTR malware to compromise Ukrainian military and governmental entities. The latest attack uses phishing emails with a deceptive subject line related to prisoners of war at the Kursk front during World War II, a topic that the attackers exploit for emotional manipulation.

Targets

Public Adminsitration

How they operate

Infection and Initial Execution
The operation of FIRMACHAGENT begins with a phishing attack, where attackers craft deceptive emails containing malicious attachments or links. These emails often feature social engineering tactics designed to prey on the recipient’s curiosity or urgency, prompting them to open an attachment or click on a link. The attachment may be a Compiled HTML Help (CHM) file, which is commonly used in malware distribution due to its ability to execute embedded code without raising alarms. When the user interacts with the file, it triggers a chain of events, starting with the execution of an obfuscated PowerShell script embedded within the CHM file. This script is designed to bypass traditional security measures by obfuscating its commands, making detection more difficult for security software. Once executed, the PowerShell script performs a series of actions, including downloading additional components and payloads from remote servers. One of the primary goals at this stage is to download and install the core FIRMACHAGENT malware, which enables further exploitation of the compromised system. The malware is often configured to communicate with its C2 server, facilitating the next phase of the attack.
Persistence Mechanisms
To maintain long-term access to the compromised system, FIRMACHAGENT utilizes multiple persistence techniques. One of the most common methods involves the creation of scheduled tasks that allow the malware to automatically execute at regular intervals. By setting up these tasks, FIRMACHAGENT ensures that it remains active on the system, even after reboots or manual removals. These scheduled tasks are often set to trigger the execution of additional malicious scripts or malware components, reinforcing the malware’s foothold. In addition to scheduled tasks, FIRMACHAGENT may also attempt to escalate its privileges. Many attacks, including those leveraging PowerShell, require elevated privileges to execute successfully. In some cases, the malware may attempt to exploit vulnerabilities or abuse system control mechanisms to gain higher access levels, enabling it to interact with more sensitive parts of the operating system.
Evasion and Obfuscation
FIRMACHAGENT employs several techniques to evade detection by security software. One of the key methods is the use of obfuscation, particularly in its PowerShell scripts. Obfuscation is the process of modifying the script in such a way that its intent remains hidden from automated analysis tools. This may include encoding commands, using non-standard syntax, or employing techniques like control flow obfuscation to confuse static analysis tools. By making the malicious code difficult to analyze, FIRMACHAGENT significantly reduces the chances of detection during early stages of execution. Another evasion tactic involves the use of legitimate system binaries to proxy the execution of malicious code. This is commonly known as “Living off the Land” (LOTL) and involves using existing system tools—such as Windows Management Instrumentation (WMI) or CHM files—to execute malicious commands without triggering alarms from traditional antivirus or endpoint detection systems.
Data Exfiltration
Once the malware has established its presence and escalated privileges, its next objective is typically to exfiltrate sensitive data. FIRMACHAGENT is equipped with capabilities to steal documents, credentials, and other sensitive information from the compromised system. This data is then uploaded to the attacker’s C2 server for further use, such as intelligence gathering or exploitation. The communication between the malware and the C2 server often uses common web protocols like HTTP or HTTPS, which are harder to detect due to their widespread usage in legitimate web traffic. By blending in with regular internet traffic, FIRMACHAGENT can exfiltrate data without raising suspicion from network monitoring tools. The exfiltration process is often facilitated by other malware components that have been downloaded onto the infected system. These components may be specifically designed to handle different forms of data extraction, such as scraping web browsers for stored credentials or capturing screenshots for intelligence purposes. FIRMACHAGENT’s ability to operate silently and efficiently makes it an effective tool for cyber espionage and data theft.

MITRE Tactics and Techniques

Initial Access (TA0001)
Phishing (T1566): FIRMACHAGENT is often delivered through phishing emails, where the attacker uses a social engineering lure to convince the victim to open malicious attachments or click on harmful links. This is commonly done using a spear-phishing attachment or link that delivers the malware to the victim’s system.
Execution (TA0002)
User Execution (T1204): The execution of FIRMACHAGENT is triggered when the victim opens a malicious attachment, such as a CHM (Compiled HTML Help) file, or interacts with a deceptive link. This technique involves user interaction to execute the payload. Command and Scripting Interpreter (T1059): FIRMACHAGENT executes malicious PowerShell commands and other scripts on the victim’s machine to carry out various malicious actions, such as downloading additional components or communicating with C2 servers.
Persistence (TA0003)
Scheduled Task/Job (T1053.005): FIRMACHAGENT creates and manages scheduled tasks to ensure persistence on infected systems. This allows the malware to execute at specified intervals, maintaining access over time.
Privilege Escalation (TA0004)
Abuse Elevation Control Mechanism (T1548): While not explicitly detailed, tools like FIRMACHAGENT often require privilege escalation to execute with higher privileges, especially when installing other malware or interacting with system-level components.
Defense Evasion (TA0005)
System Binary Proxy Execution (T1218.001): FIRMACHAGENT utilizes compiled HTML files (such as CHM files) to bypass traditional security defenses. These files are often used to proxy the execution of malicious payloads, exploiting the system’s legitimate tools to hide malicious activity. Obfuscated Files or Information (T1027): The malware uses obfuscated PowerShell scripts to avoid detection by traditional security solutions, hiding its actions and payloads.
Command and Control (TA0011)
Ingress Tool Transfer (T1105): FIRMACHAGENT downloads additional payloads or configuration data from remote servers to continue its operation. Application Layer Protocol: Web Protocols (T1071.001): The malware communicates with its command-and-control (C2) server using web protocols, such as HTTP/HTTPS, which are commonly used to evade detection by blending in with regular internet traffic.
Exfiltration (TA0010)
Exfiltration Over C2 Channel (T1041): FIRMACHAGENT is designed to upload stolen data to a C2 server, facilitating the exfiltration of sensitive information like documents, credentials, and other valuable data from the compromised system.  
References:
  • UAC-0020 (Vermin) Activity Detection: A New Phishing Attack Abusing the Topic of Prisoners of War at the Kursk Front and Using FIRMACHAGENT Malware
Tags: CERT-UAFIRMACHAGENTHTMLMalwareRussiaSPECTRTrojansUAC-0200UkraineVerminWindowsWorld War II
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Fake Minecraft Mods On GitHub Spread Malware

Fake Invoices Deliver Sorillus RAT In Europe

Russian Vishing Scam Bypasses Google 2FA

New Linux Flaws Allow Easy Root Access

Google Fixes GerriScary Supply Chain Flaw

Langflow Flaw Delivers Flodrix DDoS Botnet

Subscribe to our newsletter

    Latest Incidents

    Hacker Mints $27M From Meta Pool Gets 132K

    UBS and Pictet Hit By Vendor Data Breach

    Cyberattack Disrupts Paris Air Show Website

    Scania Insurance Data Stolen In Partner Hack

    Pro Israel Group Claims $81M Nobitex Hack

    Hacker Sells Data Of 1M Cock.li Users

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial