RoarBAT Malware Spotted by Ukrainian CERT

The Computer Emergency Response Team of Ukraine (CERT-UA) has reported an ongoing phishing campaign that uses invoice-themed lures to spread the SmokeLoader malware. The emails are sent from compromised accounts and contain a ZIP archive that is actually a polyglot file with a decoy document and a JavaScript file. This file is used to execute the SmokeLoader malware, whose goal is to download more effective malware on infected systems. CERT-UA has attributed this activity to UAC-0006, a financially motivated threat actor that seeks to steal credentials and transfer funds without authorization.

In addition, Ukraine's cybersecurity authority has revealed a destructive attack against public sector organizations carried out by UAC-0165, a group that CERT-UA has moderately attributed to the Sandworm group. The attack involved a batch script-based wiper malware called RoarBAT that recursively searched for files with specific extensions and deleted them using the legitimate WinRAR utility. The group also compromised Linux systems using a bash script that overwrote files with zero bytes to avoid detection.

The attack was facilitated by the lack of MFA when making remote connections to VPN. The destructive impact of the attack caused impairments to electronic computers, server equipment, automated user workplaces, and data storage systems.

What Are Advanced Persistent Threat Actors?

Advanced Persistent Threat (APT) actors are highly skilled and motivated cyber attackers who conduct long-term, targeted cyber espionage campaigns against specific targets such as government agencies, critical infrastructure, or large corporations. These attackers use sophisticated techniques to gain unauthorized access to sensitive information and systems, with the goal of stealing valuable intellectual property, classified information, or financial data.

APTs typically use a combination of tactics, such as spear-phishing, social engineering, malware, and remote access tools to gain access to targeted systems. Once they gain access, APT actors may establish a foothold in the network, move laterally within the target environment, and remain undetected for long periods of time while they exfiltrate data.

APT actors are often state-sponsored, with the backing of nation-states or other large organizations that have significant resources to support their cyber operations. However, they may also be financially motivated, working on behalf of criminal organizations seeking to steal valuable data for profit.

Defending against APT attacks requires a multifaceted approach that includes advanced threat detection and response capabilities, strong security hygiene practices, and continuous monitoring of network activity for signs of suspicious behavior.