ArguePatch Malware Used in Cyber Attacks on Ukraine

ukraine computer cyberattack

Security researchers have spotted more activity from the Sandworm advanced persistent threat actor. Sandworm is now using an updated version of the ArguePatch malware loader to attack more targets located in Ukraine.

ArguePatch was used in a series of attacks against Ukrainian entities back when the Russian invasion of the neighboring country began. Along with the first military action on Ukrainian soil, Russian-linked threat actors pulled off a series of attacks using destructive wiper malware, targeting Ukrainian institutions and using tools named CaddyWiper, HermeticWiper, and IsaacWiper. Those attacks used a previous version of the ArguePatch malware loader.

The name ArguePatch was assigned by Ukraine's CERT. The updated version of the loader has functionality that allows operators to run a later stage of the attack at a specific time. This addition makes the attack chain execute without the need to set up a scheduled task using internal Windows tools and helps avoid detection.

The updated ArguePatch is being distributed by abusing a legitimate ESET executable that has had its digital signature removed and portions of the code inside it changed.

May 23, 2022