RoarBAT Malware Spotted by Ukrainian CERT

russia ukraine cyberattacks

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported an ongoing phishing campaign that uses invoice-themed lures to spread the SmokeLoader malware. The emails are sent from compromised accounts and contain a ZIP archive that is actually a polyglot file with a decoy document and a JavaScript file. This file is used to execute the SmokeLoader malware, whose goal is to download more effective malware on infected systems. CERT-UA has attributed this activity to UAC-0006, a financially motivated threat actor that seeks to steal credentials and transfer funds without authorization.

In addition, Ukraine's cybersecurity authority has revealed a destructive attack against public sector organizations carried out by UAC-0165, a group that CERT-UA has moderately attributed to the Sandworm group. The attack involved a batch script-based wiper malware called RoarBAT that recursively searched for files with specific extensions and deleted them using the legitimate WinRAR utility. The group also compromised Linux systems using a bash script that overwrote files with zero bytes to avoid detection.

The attack was facilitated by the lack of MFA when making remote connections to VPN. The destructive impact of the attack caused impairments to electronic computers, server equipment, automated user workplaces, and data storage systems.

What Are Advanced Persistent Threat Actors?

Advanced Persistent Threat (APT) actors are highly skilled and motivated cyber attackers who conduct long-term, targeted cyber espionage campaigns against specific targets such as government agencies, critical infrastructure, or large corporations. These attackers use sophisticated techniques to gain unauthorized access to sensitive information and systems, with the goal of stealing valuable intellectual property, classified information, or financial data.

APTs typically use a combination of tactics, such as spear-phishing, social engineering, malware, and remote access tools to gain access to targeted systems. Once they gain access, APT actors may establish a foothold in the network, move laterally within the target environment, and remain undetected for long periods of time while they exfiltrate data.

APT actors are often state-sponsored, with the backing of nation-states or other large organizations that have significant resources to support their cyber operations. However, they may also be financially motivated, working on behalf of criminal organizations seeking to steal valuable data for profit.

Defending against APT attacks requires a multifaceted approach that includes advanced threat detection and response capabilities, strong security hygiene practices, and continuous monitoring of network activity for signs of suspicious behavior.

May 10, 2023

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.