Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
Phishing Emails Used to Disguise Malware as Contract Files
A recent report from a Russian cybersecurity firm has unveiled a sophisticated campaign targeting the country’s industrial sector, utilizing a previously undocumented spyware dubbed “Batavia.” The attack has been traced back to July 2024 and has successfully compromised over 100 users across numerous Russian organizations.
Victims are being lured with phishing emails that masquerade as official contract proposals. This tactic leads employees to download the spyware, which is designed to exfiltrate sensitive documents and critical system data. Although the Moscow-based Kaspersky did not attribute the campaign to a specific threat actor, the implications for the targeted firms are significant.
The infection process begins with the victim clicking a link embedded in the phishing email, often featuring filenames like договор-2025.vbe, which translates to contract-2025.vbe. This link initiates the download of an encrypted Visual Basic for Applications script. Upon execution, the script acts as a downloader, retrieving additional malicious components from a command-and-control infrastructure.
The first primary payload, known as WebView.exe, is tasked with gathering system logs, accessing documents from local drives, and periodically capturing screenshots. This data is then exfiltrated to a secondary domain controlled by the attackers, designated ru-exchange.com, and tagged with a unique infection ID, ensuring persistence throughout the attack stages.
Following this initial extraction, the malware also deploys a second payload, javav.exe, within the ProgramData folder, where it is set to auto-execute during system startup. This second stage broadens the list of target files to include multiple formats such as JPEGs, spreadsheets, and emails. Its communication features are enhanced, enabling the malware to receive new command-and-control addresses and additional malicious executables through encrypted channels.
To facilitate further payload deployment, javav.exe employs a user account control bypass technique that manipulates the Windows Registry and the computerdefaults.exe utility. This maneuver allows a final-stage binary, windowsmsg.exe, to execute without triggering a security prompt. Although the full capabilities of this last payload remain unknown, Kaspersky suspects it facilitates further surveillance or data exfiltration.
The tactics employed in this attack could likely map to several phases outlined in the MITRE ATT&CK framework. Initial access is achieved through phishing, while persistence is established via the payload’s auto-execution at startup. Privilege escalation may have been employed through the exploitation of user account control mechanisms. As this situation develops, understanding these tactics is critical for organizations seeking to defend against similar threats in the future.
