Roarbat

RoarBat is a malicious software (malware) employed by the Sandworm hacking group, known for its operations against Windows devices. The malware utilizes a BAT script to execute harmful activities, with evidence suggesting that it shares similarities with a cyber attack on Ukrinform, the Ukrainian national news agency, in January 2023. A modified version of RoarBat was identified in these attacks, with the same method of implementation and IP addresses. Ukraine's cyber defender agency, CERT-UA, reported that the RoarBat script was executed through a scheduled task distributed across all devices on the Windows domain. The primary targets of the Russia-aligned Sandworm group have been Ukrainian entities. New versions of known wipers, including RoarBat and NikoWiper, along with a newly identified wiper named SharpNikoWiper, were found deployed by Sandworm. RoarBat uses the WinRar archiving and compressing application to delete instances of over two dozen specific file extensions, including drivers. This BAT script recursively searches for files with specific extensions and archives them using the legitimate WinRAR program. An unnamed state organization was targeted in an attack involving a new batch script-based wiper malware called RoarBAT. This malware performs a recursive search for files with a list of specific extensions and irrevocably deletes them using the legitimate WinRAR utility. The use of such a widespread and destructive malware underlines the escalating cyber threats posed by state-aligned hacking groups and underscores the importance of robust cybersecurity measures.