misp-circl-feed/feeds/circl/misp/b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046.json

424 lines
22 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2022-02-24",
"extends_uuid": "56cb2bd3-5525-46bd-a454-ea895a5b4d0d",
"info": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine",
"publish_timestamp": "1664880606",
"published": true,
"threat_level_id": "1",
"timestamp": "1664880605",
"uuid": "b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046",
"Orgc": {
"name": "Centre for Cyber security Belgium",
"uuid": "5cf66e53-b5f8-43e7-be9a-49880a3b4631"
},
"Tag": [
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:target-information=\"Ukraine\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Signed Binary Proxy Execution - T1218\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#054300",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "admiralty-scale:source-reliability=\"a\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0eb100",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "admiralty-scale:information-credibility=\"1\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645686071",
"to_ids": true,
"type": "md5",
"uuid": "de0bd41d-ffac-4e5a-8ffd-63c0ba4c6979",
"value": "231b3385ac17e41c5bb1b1fcb59599c4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645686071",
"to_ids": true,
"type": "md5",
"uuid": "dc288e70-bf4b-46cc-84aa-515e39f3b433",
"value": "095a1678021b034903c85dd5acb447ad"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645686071",
"to_ids": true,
"type": "md5",
"uuid": "e499240c-bfd1-4e5b-a70b-244c11d69053",
"value": "eb845b7a16ed82bd248e395d9852f467"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645688022",
"to_ids": false,
"type": "link",
"uuid": "194c007c-eb84-4987-ae29-4dca3b02db47",
"value": "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
},
{
"category": "Artifacts dropped",
"comment": "Effectively disables crash dumps before the abused driver's execution starts",
"deleted": false,
"disable_correlation": true,
"timestamp": "1645688123",
"to_ids": false,
"type": "regkey|value",
"uuid": "8c55aae8-9ee3-4488-93e8-ee3998518fce",
"value": "SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled|0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1645688459",
"to_ids": true,
"type": "filename",
"uuid": "85ca7a94-fcfb-4097-affc-0b102ae4dff5",
"value": "empntdrv.sys"
}
],
"Object": [
{
"comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "4",
"timestamp": "1645687145",
"uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "permalink",
"timestamp": "1645687142",
"to_ids": false,
"type": "link",
"uuid": "df316954-b61d-436a-8804-d2f38a368eeb",
"value": "https://www.virustotal.com/gui/file/0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da/detection/f-0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da-1645685791"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1645687145",
"to_ids": false,
"type": "text",
"uuid": "8becd4d8-0f4c-429a-a3d4-9e33ac8f55c5",
"value": "8/71"
}
]
},
{
"comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2022-02-24T06:35:51+00:00",
"last_seen": "2022-02-24T06:35:51+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1645687295",
"uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023",
"referenced_uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114",
"relationship_type": "analysed-with",
"timestamp": "1664880605",
"uuid": "dcd014f8-ccb2-4885-8563-6f2799ffd2a2"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1645687295",
"to_ids": true,
"type": "md5",
"uuid": "ec4a3df5-9479-4468-a990-a3f97ff69a1b",
"value": "84ba0197920fd3e2b7dfa719fee09d2f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1645687295",
"to_ids": true,
"type": "sha1",
"uuid": "27637845-3dbd-4454-ad6c-51b7d05e22e9",
"value": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1645687295",
"to_ids": true,
"type": "sha256",
"uuid": "2b89b426-8ae3-483c-8a10-46acc4b9a441",
"value": "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
}
]
},
{
"comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "4",
"timestamp": "1645687548",
"uuid": "d9a1332e-3511-4417-97c8-f30621513106",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "permalink",
"timestamp": "1645687548",
"to_ids": false,
"type": "link",
"uuid": "bafabadb-48ca-48a7-b192-ed30a1ffc57c",
"value": "https://www.virustotal.com/gui/file/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591/detection/f-1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591-1645686225"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1645687545",
"to_ids": false,
"type": "text",
"uuid": "fecf0286-1c32-478d-93e3-507253b34c26",
"value": "28/71"
}
]
},
{
"comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1645687557",
"uuid": "df7db285-8f67-49a0-a570-360c55604d2c",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1645687557",
"to_ids": true,
"type": "md5",
"uuid": "b5d4be4e-d2cf-479b-90bf-6ad348b213dd",
"value": "3f4a16b29f2f0532b7ce3e7656799125"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1645687554",
"to_ids": true,
"type": "sha1",
"uuid": "6f40134d-c3f6-45b0-bea8-10bcb3b68b1e",
"value": "61b25d11392172e587d8da3045812a66c3385451"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1645687551",
"to_ids": true,
"type": "sha256",
"uuid": "127e284e-9f47-46f6-a14d-118e7e59309a",
"value": "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1645687512",
"uuid": "6e410e9b-426b-49ce-a8b9-4efdf1656f24",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1645687512",
"to_ids": true,
"type": "md5",
"uuid": "104e8a29-d087-4540-bcaa-ee455e21a157",
"value": "a952e288a1ead66490b3275a807f52e5"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "5",
"timestamp": "1645688599",
"uuid": "c908378a-8f2a-49e1-b592-306424bd139b",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1645688599",
"to_ids": false,
"type": "comment",
"uuid": "f596d739-c866-436a-9f94-f0694db7a401",
"value": "HermeticWiper - broad hunting rule"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1645688599",
"to_ids": false,
"type": "text",
"uuid": "d47e6fda-a832-4855-8c6f-f2d3dc912138",
"value": "disk"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1645688599",
"to_ids": true,
"type": "yara",
"uuid": "87bdab8d-c1f2-4996-86b6-b0c9ef9536eb",
"value": "rule MAL_HERMETIC_WIPER {\r\n meta:\r\n desc = \"HermeticWiper - broad hunting rule\"\r\n author = \"Friends @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"02.23.2022\"\r\n hash = \"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\"\r\n strings:\r\n $string1 = \"DRV_XP_X64\" wide ascii nocase\r\n $string2 = \"EPMNTDRV\\\\%u\" wide ascii nocase\r\n $string3 = \"PhysicalDrive%u\" wide ascii nocase\r\n $cert1 = \"Hermetica Digital Ltd\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of them\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1645688599",
"to_ids": false,
"type": "text",
"uuid": "045e7288-a031-4613-bd58-6b839f4fd53a",
"value": "MAL_HERMETIC_WIPER"
}
]
}
2023-05-19 09:05:37 +00:00
],
"EventReport": [
{
"name": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine",
"content": "# HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine\r\n\r\n Juan Andr\u00e9s Guerrero-Saade / February 23, 2022\r\n\r\n## Executive Summary\r\n\r\n * On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations.\r\n * Our analysis shows a signed driver is being used to deploy a wiper that erases Windows devices, after deleting shadow copies and manipulating MBR after rebooting.\r\n * This blog includes the technical details of the wiper, dubbed @[tag](HermeticWiper), and includes IOCs to allow organizations to stay protected from this attack.\r\n * This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available.\r\n * @[tag](SentinelOne) customers are protected from this threat, no action is needed.\r\n \r\n ## Background\r\n\r\n On February 23rd, our friends at @[tag](Symantec) and @[tag](ESET) research tweeted hashes associated with a wiper attack in Ukraine, including one which is not publicly available as of this writing.\r\n\r\n We started analyzing this new wiper malware, calling it \u2018@[tag](HermeticWiper)\u2019 in reference to the digital certificate used to sign the sample. The digital certificate is issued under the company name \u2018Hermetica Digital Ltd\u2019 and valid as of April 2021. At this time, we haven\u2019t seen any legitimate files signed with this certificate. It\u2019s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate.\r\n\r\n @[tag](HermeticWiper) Digital Signature This is an early effort to analyze the first available sample of @[tag](HermeticWiper). We recognize that the situation on the ground in Ukraine is evolving rapidly and hope that we can contribute our small part to the collective analysis effort.\r\n\r\n ## Technical Analysis\r\n\r\n At first glance, @[tag](HermeticWiper) appears to be a custom-written application with very few standard functions. The malware sample is 114KBs in size and roughly 70% of that is composed of resources. The developers are using a tried and tested technique of wiper malware, abusing a benign partition management driver, in order to carry out the more damaging components of their attacks. Both the @[tag](misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\") (Destover) and @[tag](misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT33 - G0064\") (Shamoon) took advantage of Eldos Rawdisk in order to get direct userland access to the filesystem without calling Windows APIs. @[tag](HermeticWiper) uses a similar technique by abusing a different driver, @[attribute](85ca7a94-fcfb-4097-affc-0b102ae4dff5).\r\n\r\n @[tag](HermeticWiper) resources containing EaseUS Partition Manager drivers The copies of the driver are ms-compressed resources. The malware deploys one of these depending on the OS version, bitness, and SysWow64 redirection. \r\n\r\n EaseUS driver resource selection The benign EaseUS driver is abused to do a fair share of the heavy-lifting when it comes to accessing Physical Drives directly as well as getting partition information. This adds to the difficulty of analyzing @[tag](HermeticWiper), as a lot of functionality is deferred to DeviceIoControl calls with specific IOCTLs.\r\n\r\n ## MBR and Partition Corruption\r\n\r\n @[tag](HermeticWiper) enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the \\\\.\\EPMNTDRV\\ device is called for a device number.\r\n\r\n The malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. While that should be enough for the device not to boot again, @[tag](HermeticWiper) proceeds to enumerate the partitions for all possible drives.\r\n\r\n They then differentiate between FAT and NTFS partitions. In the case of a FAT partition, the malware calls the same \u2018bit fiddler\u2019 to corrupt the partition. For NTFS, the @[tag](HermeticWiper)
"id": "93",
"event_id": "98258",
"timestamp": "1645688536",
"uuid": "9f27b900-e658-4a75-854e-4a3e0f2d3899",
"deleted": false
}
2023-04-21 13:25:09 +00:00
]
}
}