S0257 VERMIN
VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. 1
| Item | Value |
|---|---|
| ID | S0257 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 October 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | VERMIN uses HTTP for C2 communications.1 |
| enterprise | T1560 | Archive Collected Data | VERMIN encrypts the collected files using 3-DES.1 |
| enterprise | T1123 | Audio Capture | VERMIN can perform audio capture.1 |
| enterprise | T1119 | Automated Collection | VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .1 |
| enterprise | T1115 | Clipboard Data | VERMIN collects data stored in the clipboard.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | VERMIN decrypts code, strings, and commands to use once it’s on the victim’s machine.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | VERMIN can delete files on the victim’s machine.1 |
| enterprise | T1105 | Ingress Tool Transfer | VERMIN can download and upload files to the victim’s machine.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | VERMIN collects keystrokes from the victim machine.1 |
| enterprise | T1027 | Obfuscated Files or Information | VERMIN is obfuscated using the obfuscation tool called ConfuserEx.1 |
| enterprise | T1027.002 | Software Packing | VERMIN is initially packed.1 |
| enterprise | T1057 | Process Discovery | VERMIN can get a list of the processes and running tasks on the system.1 |
| enterprise | T1113 | Screen Capture | VERMIN can perform screen captures of the victim’s machine.1 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | VERMIN uses WMI to check for anti-virus software installed on the system.1 |
| enterprise | T1082 | System Information Discovery | VERMIN collects the OS name, machine name, and architecture information.1 |
| enterprise | T1016 | System Network Configuration Discovery | VERMIN gathers the local IP address.1 |
| enterprise | T1033 | System Owner/User Discovery | VERMIN gathers the username from the victim’s machine.1 |