Batavia spyware steals data from Russian organizations

Keypoints

• Batavia spyware campaign started in July 2024 and targets Russian organizations via bait emails with malicious links pretending to be contracts.
• The infection involves three stages: a VBS downloader script, followed by execution of WebView.exe, then javav.exe, each performing specific data theft functions.
• The VBS script downloads an encrypted file and retrieves parameters from a command-and-control (C2) server to adapt the attack based on the victim’s OS.
• WebView.exe collects system logs and office documents, takes screenshots, and downloads further payloads while communicating with a different C2 domain.
• javav.exe expands file collection to include images, emails, archives, and other document types and introduces commands to change C2 servers and load extra modules.
• UAC bypass technique using computerdefaults.exe and registry modification is used to launch additional malicious payloads like windowsmsg.exe.
• More than 100 users across several dozen Russian industrial companies were targeted according to Kaspersky telemetry data.