New ArguePatch Variant Attacks Ukraine
Description
FortiGuard Labs is aware of a report that a new variant of ArguePatch malware was used in an attack against Ukraine. This ArguePatch variant includes a feature to set up a schedules task in order to perform a specific action at a specified time.
Why is this Significant?
This is significant because the new variant of ArguePatch malware now has a feature to perform a specific action at a specified time without setting up a scheduled task. This provides more stealthiness to the malware which allows it to stay under the radar until it actually starts to carry out a next stage action.
What is ArguePatch?
ArguePatch is a loader malware that was previously used in campaigns against Ukraine which involve CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software.
FortiGuard Labs previously released Threat Signals on CaddyWiper and Industroyer2. See the Appendix for links to "Additional Wiper Malware Deployed in Ukraine #CaddyWiper" and "Industroyer2 Discovered Attacking Critical Ukrainian Verticals".
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against known variants of ArguePatch:
W32/Agent.AECG!tr
W32/PossibleThreat
Appendix
Sandworm uses a new version of ArguePatch to attack targets in Ukraine (ESET)
Additional Wiper Malware Deployed in Ukraine #CaddyWiper (Fortinet)
Industroyer2 Discovered Attacking Critical Ukrainian Verticals (Fortinet)