The Sandworm APT (Advanced Persistent Threat) group has expanded its threatening arsenal with a new version of their loader malware known as ArguePatch. Sandworm is believed to be behind some of the most disruptive attack operations. Since the start of the war in Ukraine, the group has been focused on targets within the country particularly.
The ArguePatch loader was deployed as part of the Industroyer2 attack chain. The Industroyer2 threat can compromise industrial control systems (ICS) and be leveraged against a Ukrainian energy provider to disrupt the country's energy grid. In addition, ArguePatch has been deployed in numerous attacks delivering the data-wiping malware CaddyWiper.
The new version of ArguePatch was analyzed by cybersecurity researchers and revealed to the public in a new report. According to the findings of the experts, the improvement ArguePatch uses a different technique to execute the next stage of the attack, making it far more stealthy. Earlier versions needed to set up a scheduled task in Windows. To reduce the footprint on the system, the hackers have equipped the loader with the ability to activate the next stage at a specified time automatically. Another difference is that the newer ArguePatch version exploits an official executable to hide itself. The digital signature of the abused file is removed and its code is overwritten.