WinRAR the world famous file compression and archival tool used by millions of people across the globe has been used by the Russian hacking group Sandworm to destroy files belonging to Ukranian state networks.
CERT-UA – The Ukrainian Government Computer Emergency Response Team says that the Russian threat actors used compromised VPN accounts that weren’t protected with multi-factor authentication (MFA) to access critical systems in Ukrainian state networks.
After gaining access, the cyber criminals used WinRAR to target files on Windows and Linux machines.
On Windows devices, the script used by Sandworm (called RoarBat) searches disks and specific directories for filetypes such as doc, docx, rtf, txt, xls, etc. , and archives them using WinRAR.
The kicker though is that the script executes WinRAR via the cmd-line with the -df switch which instructs WinRAR to auto-delete the files it archives. The script then deletes the archive files created, thus deleting the files entirely.
On Linux systems, the threat actors used a Bash script which used the -dd switch to overwrite target file types with zero bytes thus erasing their contents.
Due to this data overwriting, recovery of any files is highly unlikely, if not entirely impossible.
Why WinRAR?
The choice of WinRAR seems to be for a number of reasons.
- It’s free*
- It’s a legitimate utility unlikely to be spotted by any security tools
- It has the ability to run as a cmd-line utility which can be invoked with scripts
*WinRAR is classed as “trialware” in that it is free for a period of time (typically 30 days) after which a licence is supposed to be purchased. However, thwe makers of WinRAR dont include a blocker in the trial version, so it is possible tokeep using the software for ever without ever buying a licence.
This fact has led to WinRAR being the subject of a number of Internet Memes.
It seems that Sandworm, like other Internet users have a love for a good meme