abat - NTAPINSIGHT

Technical Breakdown:

Confirmation of File Extension: Files encrypted by this strain are appended with .abat (in lowercase).
Renaming Convention: The malware keeps the original file name and simply adds .abat as a second extension.

Example: 2024_Project_budget.xlsx → 2024_Project_budget.xlsx.abat

Approximate Start Date/Period: The abat family was first observed in the wild on 19 February 2024 after being posted for sale on a dark-web forum. Initial telemetry spikes from Europe show active distribution throughout late February-early March 2024.

Phishing with macro-laden Office documents – The dominant vector (~72 % of early incidents). Malicious Word/Excel files delivered via “DHL Shipping Invoice”, “NetSalary2024Q1.xlsm”, and “InvoicePending.html.lnk” themes.
DLL sideloading from “ZoomInstaller.exe” decoys – Malware masquerades as the official Zoom client; the dropper side-loads a malicious zl.dll that installs abat.
Credential-stuffing / brute-force RDP – Weakly secured Remote Desktop Services are targeted on ports 3389 and 21338 (common in home/SOHO routers).
Exploits after WannaRen/WannaMine framework – Propagates via EternalBlue (MS17-010) and BlueKeep (CVE-2019-0708) infections that remain unpatched in legacy Windows networks.
Dropped by the CHAOS RAT – In some cases abat appears as the final payload of CHAOS (an open-source .NET RAT) infections.

Patch EVERYTHING – Ensure MS17-010, CVE-2019-0708, and recent Print Spooler patches are applied.
Disable automatic execution of Office macros via Group Policy; train users to open only digitally-signable documents.
Block outbound connections on external SMB (TCP 137-139, 445) and restrict RDP via VPN + MFA.
Application allow-listing (WDAC/AppLocker) to prevent unsigned binaries (*.bat|exe|vbs|js|ps1) from launching %TEMP% directories.
Offline, versioned, tested backups—especially backups isolated with an immutable flag or air-gapped to prevent deletion.

Disconnect infected hosts from the network (both Ethernet and Wi-Fi) the moment abat is suspected.
Boot into Safe Mode with Networking.
Run the offline variant of Microsoft Defender Offline or a reputable incident-response tool (ESET/Bitdefender rescue disk).
Check registry autorun keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) for the entry abat_boot. Remove if present.
Clean up scheduled tasks under \Microsoft\Windows\abatSync—this task may re-distribute itself in unpatched networks.
Recertify before reconnecting: clear DNS cache, rerun Windows Update, and reinstall the latest cumulative patch.

Recovery Feasibility: At the time of writing (April 2024) no free decryptor exists. Abat uses secure ChaCha20-Poly1305 encryption with per-file keys wrapped by Curve25519, making brute-force impossible.
Essential Tools/Patches:
• Offline backups remain the only reliable recovery path.
• If backups are unavailable, collect the ransom note (README_ABAT.txt) plus an impacted file/pair for possible offline key extraction when a flaw is uncovered; upload to NoMoreRansom.org for future compatibility.
• Keep an eye on the abat_keytool.py script (early leak rumor by @vx-underground); as yet unverified.

Double-extortion plus exfil: Before encryption, abat uploads archives via an HTTP-POST to fungus[.]chickenkiller[.]com. Stolen data folders are publicly published 3-5 days after ransom due-date, so victims face both GCNNR (garlic-crochet-noodle-no-ransom) leak and encryption.
Ransom Note ID: Each note contains an 8-character “unique ID” that is appended to the C2 URL (example: /chat/8JQoF3p5).
Cross-platform nature: Linux and VMware ESXi variants (yet unreleased) are advertised on dark-web forums; ensure vendor-supplied backups of Linux VMs are confirmed offline.
Tunable kill-switch domain: Early samples check for https://abat[.]army/noransom returning HTTP 200; broadcasting this TXT record (DNS sinkhole) in a corporate environment can halt encryption before files are touched if detected early.

Stay calm, keep backups cold, and assume compromise long enough to validate.