Security experts spotted Russian hackers leveraging the WinRAR archiving program to spread wiper malware on Ukrainian state networks in a bid to destroy critical data on government devices and disrupt services.
In a security advisory describing the hackers’ methods, Ukraine’s Computer Emergency Response Team (CERT-UA) said they breached the state network by exploiting compromised VPN accounts that lacked multi-factor authentication.
Once inside, perpetrators deployed scripts designed to wipe files on Windows and Linux machines using WinRAR, an inconspicuous, popular archiving program. The Russian hackers, believed to be part of the infamous Sandworm hacking group, used a BAT script called 'RoarBat' on Windows devices.
The script searches for specific file types across the target's disks and directories, such as documents, images, archives, videos and various system files. Targeted extensions include, but are not limited to:
.doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .pdf, .png, .jpeg, .jpg, .zip, .rar, .7z, .mp4, .sql, .php, .vbk, .vib, .vrb, .p7s and .sys, .dll, .exe, .bin, .dat
Once identified, the files are archived using the WinRAR program. However, the malicious script employs the -df
command, automatically deleting files as they’re compressed. After compression, the archive files are also deleted to maximize damage.
CERT-UA found several similarities between this incident and an attack in January against Ukrinform, including the execution approach, the IP addresses of the intruders, and the use of a modified version of RoarBat. These factors fit the modus operandi of Sandworm.
“Thus, despite the coverage of the fact of the cyberattack using another telegram channel, CERT-UA associates the described activity with a moderate level of confidence with the activities of the Sandworm group, but the appropriate identifier UAC-0165 was created for its point tracking,” reads CERT-UA’s security advisory.
CERT-UA urges users to watch out for abnormal activity on the network and “take immediate measures to reduce ’surface‘ attacks.” The advisory also includes indicators of compromise to help system administrators assess whether the new malicious campaign has targeted machines on their network.
Specialized tools like Bitdefender Ultimate Security can protect you from data-wiper malware and other cybernetic threats with its comprehensive library of features, which includes:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024