RoarBAT Malware
According to fresh advisory released by the Ukrainian Government Computer Emergency Response Team (CERT-UA), the Russian hacking group 'Sandworm' is suspected to be responsible for a cyber attack that targeted Ukrainian state networks. The attack was carried out by exploiting compromised VPN accounts that were not secured with multi-factor authentication, allowing the hackers to gain access to critical systems within the networks.
Once the Sandworm group gained entry to the targeted devices, they used the previously unknown threat RoarBAT to delete data on machines running Windows and a Bash script on Linux operating systems. This was accomplished by using WinRar, a popular archiving program, to wipe files from the affected devices. The attack caused significant damage to the Ukrainian government's IT infrastructure, highlighting the importance of multi-factor authentication as a critical security measure to protect against such attacks.
Table of Contents
RoarBAT Exploits the Popular WinRAR Archive Application to Delete Data
The Sandworm threat actors employ a BAT script called 'RoarBat' on Windows. This script scans through the disks and specific directories of the breached devices for numerous filetypes, including doc, df, png,docx, xls, xlsx, ppt, pptx, vsd, vsdx, rtf, txt, p jpeg, jpg, zip, rar, 7z, mp4, SQL, PHP,rar, 7z back, vib, vrb, p7s, sys, dll, exe, bin, and date. Any file that matches the set criteria is then archived utilizing the popular and legitimate WinRAR archiver tool.
However, the threat actors leverage the '-df' command-line option when executing WinRAR, resulting in the automatic deletion of files during the archiving process. Moreover, the archives themselves are removed upon completion, effectively leading to the permanent erasure of the data on the victim's device. According to CERT-UA, RoarBAT is executed through a scheduled task that is centrally distributed to Windows domain devices via group policies.
Hackers Target Linux Systems as Well
The cybercriminals used a Bash script on Linux systems, which utilized the 'dd' utility to replace the contents of the targeted file types with zero bytes, effectively erasing their data. Recovery of files 'emptied' by the dd tool is unlikely, if not impossible, due to this data replacement.
The use of legitimate programs like 'dd' command and WinRAR suggests that the threat actors aimed to evade detection by security software.
Similarities with Previous Attacks against Ukrainian Targets
According to CERT-UA, the recent destructive attack carried out by Sandworm bears striking similarities to another attack that occurred in January 2023 on the Ukrainian state news agency, 'Ukrinform,' which was also attributed to the same threat actor. The implementation of the threatening plan, the IP addresses used by the attackers, and the employment of a modified version of RoarBAT all point toward the resemblance between the two cyberattacks.
