virus logo Threat Signal Report

New ArguePatch Variant Attacks Ukraine

Description

FortiGuard Labs is aware of a report that a new variant of ArguePatch malware was used in an attack against Ukraine. This ArguePatch variant includes a feature to set up a schedules task in order to perform a specific action at a specified time.



Why is this Significant?

This is significant because the new variant of ArguePatch malware now has a feature to perform a specific action at a specified time without setting up a scheduled task. This provides more stealthiness to the malware which allows it to stay under the radar until it actually starts to carry out a next stage action.



What is ArguePatch?

ArguePatch is a loader malware that was previously used in campaigns against Ukraine which involve CaddyWiper and Industroyer2. The malware is a patched version of a legitimate component of Hex-Rays IDA Pro software.


FortiGuard Labs previously released Threat Signals on CaddyWiper and Industroyer2. See the Appendix for links to "Additional Wiper Malware Deployed in Ukraine #CaddyWiper" and "Industroyer2 Discovered Attacking Critical Ukrainian Verticals".



What is the Status of Coverage?

FortiGuard Labs provides the following AV coverage against known variants of ArguePatch:

W32/Agent.AECG!tr

W32/PossibleThreat

Appendix

Sandworm uses a new version of ArguePatch to attack targets in Ukraine (ESET)

Additional Wiper Malware Deployed in Ukraine #CaddyWiper (Fortinet)

Industroyer2 Discovered Attacking Critical Ukrainian Verticals (Fortinet)


ID 38
Date May 23, 2022
Threat/
Vulnerability		 Loader
FortiGate Device Triggered N/A
Threat Actor Type APT group
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services