The second attack involves a new batch script-based wiper malware called RoarBAT that performs a recursive search for files with a specific list of extensions and irrevocably deletes them using the legitimate WinRAR utility. The attack, which targeted an unnamed state organization, was carried out by a group known as UAC-0165 and was characterized as a financially motivated operation carried out with the goal of stealing credentials and making unauthorized fund transfers. CERT-UA attributed UAC-0165 with moderate confidence to the notorious Sandworm group, which has a history of unleashing wiper attacks since the start of the Russo-Ukrainian war last year.
The alerts come a week after CERT-UA cautioned of phishing attacks carried out by the Russian state-sponsored group APT28 targeting government entities in the country with fake Window update notifications.
Source: The Hacker News