Full Report
Russian organizations have been targeted as part of an ongoing campaign that delivers a previously undocumented Windows spyware called Batavia. The activity, per cybersecurity vendor Kaspersky, has been active since July 2024. "The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract," the Russian company said. "The main goal of the
Analysis Summary
# Threat Actor: Unknown Actor utilizing Batavia Spyware
## Attribution & Identity
The threat actor group utilizing the Batavia spyware is currently **unattributed** in this report. They are confirmed to be targeting Russian organizations. *Note: The article also details the NordDragonScan malware, but for the purpose of structuring the Batavia information, the details of the unidentified group deploying Batavia are logged here.*
## Activity Summary
The actor has been conducting an ongoing **cyber espionage campaign** targeting Russian organizations since at least **July 2024**. The goal is the installation of the novel **Batavia Windows spyware** to steal internal documents. The campaign utilizes targeted phishing emails designed to trick recipients into downloading malware under the guise of signing a contract.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails containing malicious links related to contract signing.
- **Execution & Staging:** Links lead to the download of an archive containing a Visual Basic Encoded script (.VBE).
- **Reconnaissance:** The initial payload profiles the compromised host, exfiltrating system information.
- **Payload Delivery:** Retrieval of a second-stage payload (an executable written in Delphi) from the same server.
- **Action on Objectives (Data Theft):** Background collection of system logs, installed programs, OS components, and specific document types (PDF, DOC/DOCX, ODS/ODT, XLS/XLSX). Collection also occurs from removable devices.
- **Evasion/Distraction:** The Delphi malware displays a fake contract document to the victim while performing background operations.
- **Escalated Collection:** The Delphi malware downloads a separate binary for wider data collection, targeting images, emails, PowerPoint, archives, and text files.
- **Persistence/Next Stage:** Collected data is transmitted to a distinct second domain, leading to the download of an unknown fourth-stage executable.
## Targeting
- Sectors: **Not explicitly defined in the text, but implied to be organizations within Russia** (implied corporate/government sectors based on documents targeted).
- Geography: **Russia**.
- Victims: **Several dozen organizations**, with **more than 100 users** receiving phishing emails over the past year. Specific organization names are not provided.
## Tools & Infrastructure
- **Malware Families Used:**
- **Batavia:** Previously undocumented Windows spyware.
- Stage 1: Visual Basic Encoded script (.VBE).
- Stage 2: Delphi-written executable payload.
- Stage 3/4: Binary for expanded collection and subsequent unknown executable.
- **Infrastructure (C2):**
- Initial Phishing Domain: `oblast-ru[.]com` (stated to be owned by the attackers).
- C2/Exfiltration Destination 1: `oblast-ru[.]com` (used for Stage 1/2 payloads).
- Exfiltration/C2 Destination 2: `ru-exchange[.]com` (used to transmit collected data and download Stage 4 payload).
## Implications
This represents a sustained cyber espionage effort actively targeting Russian entities for over a year, prioritizing the exfiltration of sensitive internal documents. The multi-stage infection chain, use of native scripting (.VBE) and compiled native code (Delphi), and dedicated infrastructure suggest a well-resourced and focused threat actor dedicated to information theft.
## Mitigations
- **Email Security:** Implement strong filtering and authentication mechanisms to block phishing emails originating from external sources masquerading as internal communications or contracts.
- **Endpoint Detection and Response (EDR):** Deploy robust EDR capable of detecting suspicious scripting activity (.VBE execution) and unauthorized data staging/exfiltration, particularly targeting removable media.
- **Application Control:** Restrict the execution of potentially malicious scripts or binaries downloaded from the initial stage.
- **Network Monitoring:** Monitor egress traffic for connection attempts to the identified attacker domains (`oblast-ru[.]com` and `ru-exchange[.]com`).
- **Focus on Document Protection:** Ensure sensitive documents, especially those frequently accessed or stored on transit media (USB drives), are protected via appropriate access controls and encryption where possible.