Roarbat

Malware updated a month ago (2024-11-29T14:37:43.635Z)
Download STIX
Preview STIX
RoarBat is a malicious software (malware) employed by the Sandworm hacking group, known for its operations against Windows devices. The malware utilizes a BAT script to execute harmful activities, with evidence suggesting that it shares similarities with a cyber attack on Ukrinform, the Ukrainian national news agency, in January 2023. A modified version of RoarBat was identified in these attacks, with the same method of implementation and IP addresses. Ukraine's cyber defender agency, CERT-UA, reported that the RoarBat script was executed through a scheduled task distributed across all devices on the Windows domain. The primary targets of the Russia-aligned Sandworm group have been Ukrainian entities. New versions of known wipers, including RoarBat and NikoWiper, along with a newly identified wiper named SharpNikoWiper, were found deployed by Sandworm. RoarBat uses the WinRar archiving and compressing application to delete instances of over two dozen specific file extensions, including drivers. This BAT script recursively searches for files with specific extensions and archives them using the legitimate WinRAR program. An unnamed state organization was targeted in an attack involving a new batch script-based wiper malware called RoarBAT. This malware performs a recursive search for files with a list of specific extensions and irrevocably deletes them using the legitimate WinRAR utility. The use of such a widespread and destructive malware underlines the escalating cyber threats posed by state-aligned hacking groups and underscores the importance of robust cybersecurity measures.
Description last updated: 2024-05-04T16:48:30.809Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
WinRAR
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with Roarbat. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
2
Source Document References
Information about the Roarbat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more