Batavia Spyware
A sophisticated cyber-espionage campaign has been actively targeting Russian organizations since July 2024. At the heart of the operation is a previously undocumented spyware named Batavia, which is deployed through deceptive emails designed to appear as legitimate contract offers.
Table of Contents
The Infection Chain: From Email to Espionage
The attack commences with carefully crafted phishing emails, sent from the attacker-controlled domain oblast-ru.com. These messages lure recipients with a fake contract signing request and include a malicious link. Clicking the link initiates the download of an archive file containing a Visual Basic Encoded script (.VBE file).
Once executed, the script performs reconnaissance by collecting detailed information about the host system and transmitting it to a remote server. This triggers the download of a secondary payload, an executable written in Delphi.
Delphi Malware: Distraction and Data Theft
The Delphi-based malware likely presents a counterfeit contract to keep the victim engaged. Meanwhile, it discreetly collects a variety of sensitive information including:
- System logs and installed software information
- Microsoft Office and other document types (*.doc, *.docx, *.ods, *.odt, *.pdf, *.xls, *.xlsx)
- Screenshots and data from any removable devices connected to the host
The malware’s functionality doesn’t end there. It also downloads an additional binary from its Command-and-Control server. This file is designed to harvest an even broader array of file types for exfiltration.
Expanded File Collection Capabilities
The second-stage binary significantly expands the scope of stolen data to include:
- Images and graphical files: *.jpeg, *.jpg, *.cdr
- Emails and text-based content: *.eml, *.csv, *.txt, *.rtf
- Presentations and archives: *.ppt, *.pptx, *.odp, *.rar, *.zip
All collected information is exfiltrated to a different domain, ru-exchange.com, which also serves as the delivery point for a fourth-stage executable. This unknown component likely continues the attack chain with further malicious actions.
Widespread Impact and Collected Data
Over the past year, more than 100 users across several dozen organizations have been targeted with these phishing messages. The final payload ensures thorough data harvesting, exfiltrating not only personal and corporate documents but also:
- A complete inventory of installed software
- Information about device drivers
- Operating system component details
Conclusion: A Coordinated and Evolving Espionage Threat
The Batavia spyware campaign reflects a coordinated and persistent threat to organizational security in Russia. The multi-stage infection chain, coupled with its ability to extract a wide spectrum of files and system intelligence, marks it as a formidable espionage tool. Organizations must remain vigilant and adopt proactive security measures to defend against such advanced, deceptive attacks.
