Sandworm Uses An Updated Version Of ArguePatch To Attack Targets In Ukraine

The ESET exploration crew detected an updated version of the ArguePatch malware loader. The hackers used the loader in the industroyer2 attack against a Ukrainian energy provider and in numerous attacks involving data wiping malware called Caddywiper.

The most recent variant of ArguePatch that ESET detected as Win32/Agent.AEGY – now includes a trait to execute the next stage of an attack at a specified time. This evades the need to set up a scheduled task in Windows and is likely aimed at helping the assailants stay under the radar.

Another distinction between the two otherwise highly similar variants is that the new iteration uses an official ESET executable to hide ArguePatch, with the digital signature removed and code overwritten.

The Industroyer2 attack, meanwhile, leveraged a patched version of HexRays IDA Pro’s remote debug server. Essentially, the latest find builds on a string of findings that ESET researchers made before Russia invaded Ukraine.

On February 23^rd, the researchers telemetry picked up Hermeticwiper on the networks of several high-profile Ukrainian organizations. The campaigns similarly leveraged HermeticWizard, a custom worm used for breeding the Wiper inside local networks, and the Ransom, which acted as decoy ransomware.

The next day, a second fatal invasion against a Ukrainian governmental network started, this time deploying IsaacWiper. However, in the middle of March, ESET uncovered CaddyWiper on several dozen systems in a limited number of Ukrainian organizations.

Importantly, ESET’s affiliation with CERT-UA led to the finding of a planned attack involving Industroyer2. The aim of the attack was to unleash malware on a Ukrainian power company in April.