Russian Hackers Leverage WinRAR to Unleash Wiper Malware on Ukrainian State Networks

Security experts spotted Russian hackers leveraging the WinRAR archiving program to spread wiper malware on Ukrainian state networks in a bid to destroy critical data on government devices and disrupt services.

In a security advisory describing the hackers’ methods, Ukraine’s Computer Emergency Response Team (CERT-UA) said they breached the state network by exploiting compromised VPN accounts that lacked multi-factor authentication.

Once inside, perpetrators deployed scripts designed to wipe files on Windows and Linux machines using WinRAR, an inconspicuous, popular archiving program. The Russian hackers, believed to be part of the infamous Sandworm hacking group, used a BAT script called 'RoarBat' on Windows devices.

The script searches for specific file types across the target's disks and directories, such as documents, images, archives, videos and various system files. Targeted extensions include, but are not limited to:

.doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .pdf, .png, .jpeg, .jpg, .zip, .rar, .7z, .mp4, .sql, .php, .vbk, .vib, .vrb, .p7s and .sys, .dll, .exe, .bin, .dat

Once identified, the files are archived using the WinRAR program. However, the malicious script employs the -df command, automatically deleting files as they’re compressed. After compression, the archive files are also deleted to maximize damage.

CERT-UA found several similarities between this incident and an attack in January against Ukrinform, including the execution approach, the IP addresses of the intruders, and the use of a modified version of RoarBat. These factors fit the modus operandi of Sandworm.

“Thus, despite the coverage of the fact of the cyberattack using another telegram channel, CERT-UA associates the described activity with a moderate level of confidence with the activities of the Sandworm group, but the appropriate identifier UAC-0165 was created for its point tracking,” reads CERT-UA’s security advisory.

CERT-UA urges users to watch out for abnormal activity on the network and “take immediate measures to reduce ’surface‘ attacks.” The advisory also includes indicators of compromise to help system administrators assess whether the new malicious campaign has targeted machines on their network.

Specialized tools like Bitdefender Ultimate Security can protect you from data-wiper malware and other cybernetic threats with its comprehensive library of features, which includes:

• Continuous, all-around monitoring and protection against viruses, worms, spyware, Trojans, rootkits, zero-day exploits, ransomware, and other e-threats
• Behavioral detection module that closely monitors active apps and takes instant action upon detecting suspicious activity
• Network threat prevention technology that can detect and block suspicious network-level activities, including botnet-related URLs, brute-force attacks, and sophisticated exploits
• Vulnerability assessment module that scans your system for weak points (missing security updates, vulnerable and outdated software, unsafe settings) and suggests the best course of action