Sandworm uses a new version of ArguePatch to attack targets in Ukraine | WeLiveSecurity

ESET
researchers
spot
an
updated
version
of
the
malware
loader
used
in
the
Industroyer2
and
CaddyWiper
attacks

Sandworm uses a new version of ArguePatch to attack targets in Ukraine | WeLiveSecurity

ESET
researchers
spot
an
updated
version
of
the
malware
loader
used
in
the
Industroyer2
and
CaddyWiper
attacks


Sandworm
,
the
APT
group
behind
some
of
the
world’s
most
disruptive
cyberattacks,
continues
to
update
its
arsenal
for
campaigns
targeting
Ukraine.

The
ESET
research
team
has
now
spotted
an
updated
version
of
the
ArguePatch
malware
loader
that
was
used
in
the

Industroyer2

attack
against
a
Ukrainian
energy
provider
and
in
multiple
attacks
involving
data
wiping
malware
called

CaddyWiper
.

The
new
variant
of
ArguePatch

named
so
by
the
Computer
Emergency
Response
Team
of
Ukraine
(CERT-UA)
and
detected
by
ESET
products
as
Win32/Agent.AEGY

now
includes
a
feature
to
execute
the
next
stage
of
an
attack
at
a
specified
time.
This
bypasses
the
need
for
setting
up
a
scheduled
task
in
Windows
and
is
likely
intended
to
help
the
attackers
stay
under
the
radar.

Another
difference
between
the
two
otherwise
highly
similar
variants
is
that
the
new
iteration
uses
an
official
ESET
executable
to
hide
ArguePatch,
with
the
digital
signature
removed
and
code
overwritten.
The
Industroyer2
attack,
meanwhile,
leveraged
a
patched
version
of
HexRays
IDA
Pro’s
remote
debug
server.

The
latest
find
builds
on
a
string
of
discoveries
that
ESET
researchers
have
made
since
just
before
Russia’s
invasion
of
Ukraine.
On
February
23rd,
ESET’s
telemetry
picked
up

HermeticWiper

on
the
networks
of
a
number
of
high-profile
Ukrainian
organizations.
The
campaigns
also
leveraged
HermeticWizard,
a
custom
worm
used
for
propagating
HermeticWiper
inside
local
networks,
and
HermeticRansom,
which
acted
as
decoy
ransomware.
The
next
day,
a
second
destructive
attack
against
a
Ukrainian
governmental
network
started,
this
time
deploying

IsaacWiper
.

In
the
middle
of
March,
ESET
uncovered
CaddyWiper
on
several
dozen
systems
in
a
limited
number
of
Ukrainian
organizations.
Importantly,
ESET’s
collaboration
with
CERT-UA
led
to
the
discovery
of
a
planned
attack
involving
Industroyer2,
which
was
intended
to
be
unleashed
on
a
Ukrainian
power
company
in
April.



IoCs
for
the
new
ArguePatch
variant:

Filename:

eset_ssl_filtered_cert_importer.exe

SHA-1
hash:

796362BD0304E305AD120576B6A8FB6721108752

ESET
detection
name:
Win32/Agent.AEGY

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.