Full Report
A previously undocumented spyware called 'Batavia' has been targeting large industrial enterprises in Russia in a phishing email campaign that uses contract-related lures. [...]
Analysis Summary
# Threat Actor: Batavia Campaign (Unattributed)
## Attribution & Identity
Threat actor/campaign identified by the proprietary name **'Batavia'**. Attribution information (likely nation-state or specific hacking group) is not specified in the provided context, but the targeting suggests potential espionage motives focused on Russian industrial activity.
## Activity Summary
The 'Batavia' campaign is actively targeting dozens of organizations within Russia using multi-stage Windows spyware. The campaign appears to be an espionage operation given the nature of the targets and the deep data collection capabilities of the deployed malware.
## Tactics, Techniques & Procedures
The attack involves a multi-stage payload deployment mechanism:
- **Initial Stage:** Delivery of the first-stage spyware which communicates with a C2 server.
- **Stage 2 (WebView.exe):** A Delphi-based malware deployed that collects system logs and captures screenshots while displaying a fake contract to the victim for diversion.
- **Stage 3 (‘javav.exe’):** A C++ data stealer deployed by the second stage. This payload establishes persistence by adding a startup shortcut to ensure execution upon OS boot.
- **Data Collection:** Extensive file harvesting, including documents, images, presentations, emails, archives, spreadsheets, TXTs, and RTFs.
- **Anti-Redundancy:** Uses a hash of the first 40,000 bytes of each file during exfiltration to avoid uploading redundant data.
- **Potential Stage 4:** Researchers hypothesize a fourth payload, '_windowsmsg.exe_', exists for subsequent attack phases.
## Targeting
- **Sectors:** Implied focus on Russia’s industrial activity (based on researcher speculation regarding motivation).
- **Geography:** Dozens of organizations within **Russia**.
- **Victims:** Dozens of Russian organizations (specific names not provided).
## Tools & Infrastructure
- **Malware families used:**
* First-stage Spyware (unnamed)
* WebView.exe (Second-stage, Delphi-based)
* javav.exe (Third-stage, C++ data stealer)
* \_windowsmsg.exe (Hypothesized fourth-stage payload)
- **Infrastructure (C2, domains, IPs):**
* C2 for first stage: `oblast-ru[.]com`
* C2 for data exfiltration: `ru-exchange[.]com`
## Implications
The campaign's multi-stage nature, coupled with deep data exfiltration capabilities targeting industrial sectors in Russia, suggests a targeted and persistent espionage operation likely aimed at gaining significant intelligence or compromising critical infrastructure functionality over time.
## Mitigations
- Scrutinize network traffic to command and control domains like `oblast-ru[.]com` and `ru-exchange[.]com`.
- Monitor for unusual startup entries, particularly those involving executables like `javav.exe`.
- Implement enhanced behavioral monitoring (EDR) to detect data staging, large-scale document harvesting, and screenshot capture activity, especially when paired with decoy screens (like the fake contract).
- Investigate instances where Delphi-based or C++ custom malware executes post-initial access.