Roarbat

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RoarBat is a malicious software (malware) employed by the Sandworm hacking group, known for its operations against Windows devices. The malware utilizes a BAT script to execute harmful activities, with evidence suggesting that it shares similarities with a cyber attack on Ukrinform, the Ukrainian national news agency, in January 2023. A modified version of RoarBat was identified in these attacks, with the same method of implementation and IP addresses. Ukraine's cyber defender agency, CERT-UA, reported that the RoarBat script was executed through a scheduled task distributed across all devices on the Windows domain. The primary targets of the Russia-aligned Sandworm group have been Ukrainian entities. New versions of known wipers, including RoarBat and NikoWiper, along with a newly identified wiper named SharpNikoWiper, were found deployed by Sandworm. RoarBat uses the WinRar archiving and compressing application to delete instances of over two dozen specific file extensions, including drivers. This BAT script recursively searches for files with specific extensions and archives them using the legitimate WinRAR program. An unnamed state organization was targeted in an attack involving a new batch script-based wiper malware called RoarBAT. This malware performs a recursive search for files with a list of specific extensions and irrevocably deletes them using the legitimate WinRAR utility. The use of such a widespread and destructive malware underlines the escalating cyber threats posed by state-aligned hacking groups and underscores the importance of robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Nikowiper
1
NikoWiper is a malicious software (malware) identified as a new data wiper attributed to Sandworm, a state-backed hacker group linked with Russia's Main Directorate of the General Staff of the Armed Forces (GRU). This malware, unique in its design compared to other strains, was used in an attack on
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
WinRAR
Telegram
Windows
Wiper
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
2
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
Cyberarmyofrussia_rebornUnspecified
1
CyberArmyofRussia_Reborn is a threat actor with suspected links to the GRU, Russia's main intelligence agency. This group has been associated with several high-profile cyberattacks, including those on US and Polish water utilities and a French dam. The group uses its Telegram channel to leak stolen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Roarbat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
ESET APT Activity Report Q2–Q3 2023
BankInfoSecurity
a year ago
WinRAR Weaponized for Attacks on Ukrainian Public Sector
Securityaffairs
a year ago
Sandworm APT uses WinRAR in destructive attacks on Ukraine
CERT-EU
a year ago
Hackers use WinRAR as a Cyberweapon to Conduct Destructive Cyberattacks
CERT-EU
a year ago
CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine