ESET recently tweeted about a new version of ArguePatch, a malware loader used by VooDoo Bear (Sandworm) in multiple attacks against Ukrainian assets. ESET also gave an overview of the new version of ArguePatch on their WeLiveSecurity blog.
What is ArguePatch?
The original ArguePatch was a patched version of a legitimate component of Hex-Rays IDA Pro software. ArguePatch was used as a loader for the CaddyWiper attacks targeting an energy provider in Ukraine earlier this year. ArguePatch was also used in the Industroyer2 attacks. We reported on Caddy Wiper in March and Industroyer2 in April.
CaddyWiper, which targets Windows systems, is a compact MBR wiper malware with a compiled size of only 9KB. Before destroying files, CaddyWiper checks whether the machine is a domain controller. If the machine is a domain controller, CaddyWiper does not execute. Otherwise, CaddyWiper destroys files in the Users directory and wipes files on drives C:\ - Z:\, including any network mapped drive attached to the system. The CaddyWiper overwrites files then destroys the physical disk layout, including the MBR and partition tables.
Industroyer2 was used to target ICS (industrial control systems), like those typically used for critical infrastructure entities such as energy companies. It uses the IEC-104 protocol to communicate with industrial equipment. Industroyer2 is highly configurable but must be tailored and recompiled for each victim or target environment.
ESET researchers recently discovered a new updated variant of ArguePatch. According to ESET researchers, the new version of ArguePatch includes a feature to execute the next stage of an attack at a specified time. This is likely an attempt to evade detection, as it bypasses the need to use scheduled tasks in Windows. Rather than leveraging a patched version of Hex-Rays IDA Pro’s remote debug server, the new variant uses an official ESET executable to hide. The threat actor’s use of the ESET executable may be an attempt to troll or retaliate against ESET, as ESET has continually been involved in assisting CERT-UA in investigating Russian APT attacks on Ukraine.
ESET and CERT-UA have attributed this activity to the threat actor known as VooDoo Bear.
Who is VooDoo Bear?
VooDoo Bear, also known as Sandworm, BlackEnergy, Quedagh, Telebots, and Iron Viking, is a Russian nexus threat actor group active since at least 2011. VooDoo Bear is thought to be affiliated with GRU Unit 74455. The group has a history of attacks targeting ICS and critical infrastructure systems. Previous attacks attributed to VooDoo Bear include the 2015 and 2016 cyberattacks on the Ukrainian power grid, the 2017 NotPetya attacks, and the Cyclops Blink malware released earlier this year. VooDoo Bear TTPs include phishing, password spraying, masquerading as other threat actors, credential dumping, defacement, wipers, BlackEnergy, GCat, NotPetya, VPNFilter, CHEMISTGAMES, Exaramel, Olympic Destroyer, PassKillDisk, Cyclops Blink, CaddyWiper, ORCSHRED, SOLOSHRED, AWFULSHRED, Industroyer, and Industroyer2.
PolySwarm has multiple samples of ArguePatch and will continue to monitor for additional samples.
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f ArguePatch