Russians weaponise WinRAR to attack Ukraine

Attackers used VPNs to infiltrate and WinRAR scripts to wipe data

Russians weaponise WinRAR to attack Ukraine

Ukrainian state networks have fallen victim to data wiping by Russian state-sponsored hackers, who erased data after exploiting VPNs and using malware abusing the common archiving tool WinRAR.

Last week, the Ukrainian Government Computer Emergency Response Team (CERT-UA) issued an alert indicating that a Russian threat actor, likely from the Sandworm group, had successfully infiltrated Ukrainian state networks.

The CERT said hackers infiltrated systems by using compromised VPN accounts that lacked multi-factor authentication (MFA).

After gaining access to the network, the hackers used scripts leveraging the WinRAR archiving programme to delete files from both Windows and Linux machines.

They employed a BAT script named 'RoarBat' on Windows machines.

This script searched disks and targeted directories for specific file types, including: doc, docx, txt, rtf, xls, xlsx, ppt, pptx, pdf, png, vsd, vsdx, jpeg, jpg, mp4, zip, rar, 7z, sql, vbk, vib, vrb, php, p7s, sys, dat, dll, exe and bin.

The RoarBat script used WinRAR to compress the targeted files and applied the "-df" command-line option, instructing WinRAR to delete the source files during the archiving process.

Once the operation was complete the malware deleted the archive itself, leading to the complete destruction of all data stored on the affected disk.

The RoarBAT script is executed through a scheduled task that is centrally distributed to Windows domain devices via group policies.

In addition to Windows machines, the threat actors are also focusing on Linux devices.

To wipe data on Linux systems, they employ a Bash script using the "dd" utility to replace target files with zero bytes.

BleepingComputer reports that due to the data replacement method used by the "dd" tool, file recovery for files that have been "emptied" is highly unlikely.

Since the "dd" command and WinRAR are legitimate programmes, the attackers likely employed them as a means of evading detection by security software.

CERT-UA has identified several indicators pointing to the Sandworm group as the source of these attacks.

These include IP addresses associated with the group, the discovery of a modified version of RoarBat, and "the method of implementation" used.

The indicators share similarities with a previous attack in January targeting Ukrinform, the country's national news agency.

The January cyberattack resulted in a delay of a press briefing by Yurii Shchyhol, head of the State Service of Special Communications and Information Protection, who intended to discuss Russia's use of hybrid warfare tactics.

The Sandworm hacking group is thought to be part of a Russian military unit responsible for several operations against Ukrainian corporations in the energy, media, banking and other sectors.

Western prosecutors have also blamed the group for the 2017 NotPetya wiper malware, which caused more than $10 billion in damage worldwide by wiping data from networks of computers belonging to organisations doing business in Ukraine.

Russian hackers' objectives have shifted over the course of Russia's ongoing invasion of Ukraine, which began in February 2022.

The Ukrainian government recently concluded that energy infrastructure has become a primary target for these cyberattacks.

Last month, the head of Ukraine's Department of Cyber Information Security rejected assumptions that many Russian hacking groups are hacktivists acting out of loyalty to their state.

"More than 90 per cent of all cyberattacks targeting Ukraine are either conducted by special services or by state-sponsored groups," Illia Vitiuk told CyberScoop.

"I do believe that there is no so-called 'hacktivism' in Russia at all."