Sandworm (UAC-0165), a Russian hacking group, has been linked to an attack on Ukrainian state networks that involved wiping data from government devices using WinRAR, according to an advisory from the Ukrainian Government Computer Emergency Response Team (CERT-UA).
Several indicators point to Sandworm, the Ukrainian cyber defender agency also says: IP addresses, the presence of a modified version of RoarBat and “the method of implementation of the malicious plan.
How Attackers use WinRAR to Wipe Data
The hackers apparently used the RoarBAT script, which searches for files on the targeted machine with extensions including .doc, .docx, .rtf, .txt, .xls, .xlsx, .ppt, .pptx, .jpeg, .jpg, .zip, .rar, .7z, and several more, before archiving the files with WinRAR and applying the the “-df” option. Using this option automatically deletes the source files after archiving. The RoarBAT script then deletes the archived files, leading to total data loss.
The attackers likely used legitimate programs such as ‘dd’ and WinRAR to avoid detection by security software. Data on Linux systems can be similarly wiped using a BASH script, which leverages a standard command line tool to overwrite targeted files with zero bytes.
Apparently, Linux systems are not immune from the attack and can be compromised using a BASH script and the standard dd utility, whatever any of that means.
Indicators of Compromise (IoC)
Files:
- UpdateRarService:
C0a7da9ba353c272a694c2f215b29a63
76f06d84d24d080201afee5095e4c9a595f7f2944d9911d17870653bbfefefe8
- update1.bat (RoarBat):
6b30bd1ff03098dcf78b938965333f6e
27ff9d3f925f636dcdc0993a2caaec0fa6e05c3ab22700f055353a839b49ab38
- WinRAR.exe (Command line RAR):
4e75f4c7bcc4db8ff51cee9b192488d6
cb3cc656bb0d0eb8ebea98d3ef1779fb0c4eadcce43ddb72547d9411bcd858bc
Host:
- C:\Users\update1.bat
- UpdateRarService
Network:
- 188[.]72.101.3
- 188[.]72.101.4
- 194[.]28.172.172
- 194[.]28.172.81
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment