According to CERT-UA, the activity was carried out by a threat actor known as UAC-0006 for financial gain, with the theft of credentials and illegal money transfers as its end goals.
The attack, which targeted an unnamed government agency, involved the use of a new batch script-based wiper malware called RoarBAT. This malware recursively searches for files with a specific list of extensions and deletes them permanently using the legitimate WinRAR utility.
This, in turn, was achieved by archiving the identified files using the “-df” command line option and then purging the generated files. The batch script was executed through a scheduled task.
The agency further attributed, with moderate confidence, UAC-0165 to the notorious Sandworm group (also known as FROZENBARENTS, Seashell Blizzard or Voodoo Bear), which has a history of wiper attacks since the start of the Russian-Ukrainian war last year.
3de79fc46c7f32807397309d52001b25 352974cfdf1a7e182180f8c813a159ae44bb35268d76fae91ab64139be9200bd pax_2023_ab1058.zip ef40fca1afe6ae5320cf396a736718ad 3c4440dde25ead7074bf3bf90aed31844310c3f1da90ff7e20922fad4c3eab25 pax_2023_AB1058.pdf 12f77d1be4344fb88f1093550b092ab6 f4e72685fb3efa5bad200451d36c7d1e72a94515c515bdbb09c00254dca289ea pax_2023_ab1058..js 68bc4ce7b6c15f1f5a40e361b2214fce 24471f2fd20e7386aa533b51bf851cdeb9ee0750a615273c6004b86e463d36d2 portable.exe 8f05b8ea15b88c441219cf8310010df0 cd0226a2b9c38ab99f2bbe4461b7fc9d4b07faafbe1ccc53d92bf08d1903a8ae portable.exe 185efba2b3bf87e7d49a05ebb0ad5114 7ee1ab4270a5293e7151a6321ce17962022802f72a7d58c264e43a016a8a49a4 smoke.exe (SmokeLoader)