Share :
2022-02-27

Emerging Cyber Threats in the Ongoing Russia-Ukraine Conflict

skull

Emerging Cyber Threats in the Ongoing Russia-Ukraine Conflict

[15 March 2022, Version 5, NEW]

In line with CYFIRMA’s Cyber Security Predictions for 2022, the world is witnessing ongoing hybrid warfare against nations and their critical infrastructure. The Russia-Ukraine crisis head started with a plethora of cyberattacks with data wiping malware being used as a potent tool against Ukraine.

The newest malware observed in this chain is “CaddyWiper”. This malware is designed to wipe data across the Windows domains it is deployed on. What makes it different from the other malware is the tactic used by the attackers to maintain access inside the compromised networks of organizations they hit while still heavily disturbing operations by wiping other critical devices. For this to happen – the wiper malware used the DsRoleGetPrimaryDomainInformation() function to check if a device is a domain controller. If so, the data on the domain controller will not be deleted.

While the CaddyWiper does not share any similarity with the other wiper malware used before Russia’s physical invasion of Ukraine – it is quite similar to the HermeticWiper deployments. A sample analysis of this malware shows that just like the Hermetic Wiper, CaddyWiper was being deployed via GPO. This means that the attackers had control of the target’s network beforehand.

[ 14 March 2022, Version 4]

Like any global conflict, the Russia-Ukraine crisis too has opened the doors of exploits for opportunistic threat actors. This pattern of exploiting the existing public sentiments for financial gains is not new among cybercriminals – and has been witnessed during several global crises including the Covid-19 pandemic.

Our Cyber Threat Intelligence has observed a meteoric rise in the use of phishing emails as the primary attack vector to further execute scams and deliver malicious malware (including, but not limited to Remote Access Trojans/ RAT). Especially several Business Email Compromise (BEC) campaigns have been witnessed since the Russian invasion. Most of these emails use commodity malware such as Remcos RAT to deliver malevolent payloads which are distributed in large quantities across the target threat landscape. This is also the time that threat actors are exploiting existing vulnerabilities in Microsoft Office for malware implant. For instance, CVE-2017-11882 – a “Microsoft Office Memory Corruption Vulnerability” – has been successfully leveraged by cybercriminals to run arbitrary code.

[ 04 March 2022, Version 3]

As Russia bombs major Ukrainian cities, more intel on the symphony of cyberattacks that took place before the invasion has emerged. Our threat intelligence team has observed the use of a new data wiper malware named “IsaacWiper” – which they believe was part of Russian sabotage arsenal and has been deployed on Ukrainian government infrastructure (that were not attacked by HermeticWiper).

While the first incidence of IsaacWiper was observed on the 24th of February, there is substantial evidence that a new version of the data wiper was dropped on February 25th. Based on our hypothesis, the second version of the malware was suspected to be used as the threat actors failed to wipe off part of the target infrastructure. The log messages were added to keep a grip of how the malware interacted with the attacked asserts.

Apart from IsaacWiper, researchers have also found new samples signed under Hermetica Digital Limited and named them as HermeticWizard. This malware works on finding the machines connected to the local networks and moves on to gathering local IP addresses. The end goal seems to be dropping and executing the HermeticWiper malware.

Furthermore, our threat intelligence team has also identified additional TTPs of Conti Ransomware being leveraged in the ongoing conflict.

[ 02 March 2022, Version 2]

Patriotic Emotions Gets the Better of Conti Ransomware Group

The announcement of the “full support” to the Russian invasion of Ukraine by the notorious Conti Ransomware Group – seems to have ruffled some patriotic emotions among a member of the gang or a security researcher with Ukrainian origin.

The end result? 3 days after the attack on Ukraine, a new Twitter account named “Contileaks” emerged on the 27th of February. The account – suspected created by a pro-Ukraine member of the ransomware group – in an effort towards “Glory to Ukraine” has leaked what our threat intelligence team regards as precious classified information. This data not only gives an inner glimpse of Conti’s workings since January 29, 2021 – but explosive TTPs which can be leveraged by several cybercriminal groups in the upcoming months.

[ 26 February 2022, Version 1]

Objective: Unauthorized Access, Cyber Espionage, Data Exfiltration, Payload Delivery, Defense Evasion, Defacement, Hybrid Warfare.

Type of Attack: Spear-Phishing, Impersonation, Malware Implant/ Data Wiper Malware, Smishing, BGP Hijacking, DDoS (Distributed Denial-of-Service), Vulnerabilities & Exploits (October CMS).

Target Technology: Microsoft Windows, Linux, Web Applications.

Target Geography: Ukraine, Global.

Target Industry: Government, Defence, Utilities, Energy, Transportation Infrastructure, Diversified Financials, Critical Infrastructure.

Suspected Vulnerability Leveraged: CVE-2021-32648 (CVSS Score: 9.1).

Suspected Threat Actors: Gamaredon, Ghostwriter, MuddyWater, Unknown Russian Threat Actors.

Malware: WhisperGate, HermeticWiper.

Business Impact Analysis: Data Loss, Operational Disruption, Reputational Damage, Geopolitical Risk.

Reported Date: February 26, 2022.

Recent Cyber Escalations in Ukraine

Since October 2021, our cyber threat intelligence team has observed a trail of spear-phishing campaigns targeting organizations and entities connected with Ukrainian affairs – ranging from government agencies, defense bodies, judiciary, moving on to NGOs and humanitarian aid bodies.

These campaigns were tracked down to be cyber-espionage operations launched by Gamaredon, aimed at exfiltrating sensitive data, gaining access to critical infrastructure, maintaining persistence, and following it up with lateral movement.

Linked to Russia’s domestic intelligence service (FSB), Gamaredon resorted to remote template injection to evade detections as well as control how and when will the malicious components in the phishing emails will be delivered. It was observed that the attachments to these emails carried first-stage payloads which when downloaded can execute further payloads. The initial staging capabilities include (but are not limited to) obfuscated VBScripts, obfuscated PowerShell commands, LNK files, and self-extracting archives.

While the clarity on multiple subsequent staging scripts is limited, there is a fair possibility staging VBScripts were deployed for defense evasion and to execute Command-&-Control (C2) changes.

Fast-forward 2022, on January 13, a detrimental malware operation – masquerading as a ransomware attack – was observed to be targeting more than 70 websites of the Ukrainian government. While the defacement message on the websites was political in nature, the aim of the bootloader malware was to corrupt the data of the target infrastructure.

According to researchers, this three-stage Master Boots Record (MBR) wiper malware belongs to a new malware family named WhisperGate. They also observe that the Log4j vulnerability was leveraged to launch this attack. While the modus operandi of WhisperGate seems to resonate with VOODOO BEAR’s NotPetya malware, researchers observe no technical intersection between the two.

Though no clear attribution was made in this attack, Ukrainian officials did suspect Ghostwriter – a Belarusian threat actor group – to be responsible for this attack.

Around the same time, a vulnerability in the OctoberCMS (CVE-2021-32648) was leveraged by threat actors to gain access into the network of Ukrainian government websites. The vulnerability is caused by a flaw in the October/system package. By sending a specially crafted request, an attacker could exploit this vulnerability to request an account password reset and then gain access to the account.

As per our threat intelligence team, the vulnerability exists due to a weak password recovery mechanism. The CWE is CWE-640, CWE-287 and the vulnerability has an impact on confidentiality and integrity.

It was the breach of the Belarus Railway’s computer systems by the hacktivists, which brought in a real-world kinetic attack angle to previous cyber offensive activities. The group not only gained access to the railways’ control systems which could enable them to shut down systems – leading to several accidents.

This series of cyberattacks reached its high point when on the 23rd of February, a new series of malware samples were observed to be making inroads in Ukrainian infrastructure. This new malware, named HermeticWiper – based on the signature used in the digital certificate – was found to be a custom-written application, aiming (just like WhisperGate) to deploy a wiper targeting Windows-based devices and also manipulating the MBR for resultant boot failure. The attack exploits a benign partition management driver to further execute sabotage operations.

The DDoS attack launched using HermeticWiper, not only targeted the government websites and government contractors but also impacted the financial organizations in Ukraine and other member nations of NATO.

Note: As a retaliation to the cyber-kinetic attacks on Ukraine, the hacking group Anonymous Collective claims to have declared war on the Russian government.

HYPOTHESIS

We believe that these series of activities are a classic case of how cyberattacks can be used to build a smokescreen around political propaganda. By the virtue of being well-incorporated into Western Europe’s internet network as well as with the West, Ukraine provides the perfect backdoor entry into the rest of Europe as well as cyberattacks at a global level.

We expect similar long-term politically motivated cyberattacks as the newest addition in the global warfare weaponry.

While the kinetic attack on Ukraine is being witnessed at the global level, our threat intelligence team is closely monitoring the activities in the underground forums and dark web. With claims by random threat actors around the data leak of sensitive US personnel information – as retaliation to its support to Ukraine – we expect the dark web and underground forums to remain active with such spoils in the forthcoming days.

As per our threat intelligence team the ongoing Russia-Ukraine conflict can spill over and cause the following impact:

  1. Threat to the Physical Security of Ukraine: As the military offensive between the two countries continues, there is a huge possibility that the Russian troops would work towards capturing Kyiv – the capital city of Ukraine – to possibly establish a proxy government favouring Russia.
  2. Escalated Cyber Attacks: Attacks in cyberspace, the digital world would continue to see an uptick with both the sides and its allies targeting each other, the organizations and their subsidiaries/vendors/partners with ransomware attacks, Wiper malware, DDOS attacks, and more to cause operational disruption, reputational damage, espionage activities.
  3. Impact on Supply Chain: The ongoing conflict would impact the supply chain for many nations around the world that have ties with Ukraine and Russia for imports and exports of multiple items. The nations/organizations/individuals would have to now look for alternatives to minimize and meet expectations of the demand & supply.
  4. Economic Repercussions: Due to the ongoing conflicts and dependence on the supply chain, price rise on vital items is quite expected, leading governments to rethink their plans and strategies for the coming years.
  5. Sanctions: Organizations having business/contracts with Russian organizations could be impacted due to the sanctions put in place and would find it difficult for the sale of components, sharing of technology, financial transactions, other business collaborations.

To conclude, the way Russia has managed to immobilize Ukraine through a series of cyberattacks is a glaring reminder of Sun Tzu’s words in “The Art of War” – often regarded as the Bible of Military Strategy – that a warring nation can gain victory by just subduing its enemy, without even engaging in a physical fight.

INSIGHTS

  1. Russian threat actors are suspected of using wiper malware to target government entities, financial institutions, investment organizations, critical infrastructure on NATO member nations, and other nations who are asserting against the recent Russian aggression on Ukraine. The threat actors are believed to be targeting these organizations with the backing of their government and intelligence agencies without carrying much on the physical location of the organizations.
  2. The Russian cyberattacks are believed to be in retaliation for ongoing economic and diplomatic sanctions imposed by many nations led by the US & EU and pose a heightened risk of further escalation in the cyber world.
  3. Their primary intent is to cause reputational damage to countries (and organizations from these countries) who are not in sync with their geo-political agenda, exfiltrate and wipe-out sensitive data, cause operational disruption, and name/shame entities by selling data in the grey market or to competitors for financial gains.
  4. It is suspected that multiple assets have been targeted so far, and from a few assets, data has been wiped. We suspect more such vulnerable assets could be targeted in the coming days based on the development of the geopolitical situation in Europe.
  5. While in the past, the Gamaredon group has heavily relied on off-the-shelf tools, as early as December 2021 it was observed that it has shifted to custom-developed malware. The group was noted to be using a novel RTF template injection technique in their phishing campaigns to retrieve malicious content from remote URLs. Apart from the recent deployment of eight custom binaries in cyber-espionage operations against Ukrainian entities; this hacking group is believed to be responsible for thousands of attacks in Ukraine since 2013.
  6. As per researchers, WhisperGate consists of two samples: One appears as ransomware while the other is a beaconing implant used to deliver an in-memory Microsoft Intermediate Language (MSIL) payload. The in-memory code uses Living Off the Land Binaries (LOLBINs) to evade detection and also performs anti-analysis techniques, as it will fail to detonate when certain monitoring tools exist.

 

Indicators of Compromise

Refer to the IOCs file to exercise controls on your security systems. Russia Ukraine Cyberwar_27 Feb 2022

 

Targeted Recommendations

  1. Implement unified threat management and external threat landscape management strategy programs – including malware detection, deep learning neural networks, and anti-exploit technology connected with vulnerability and risk mitigation.
  2. Use threat intelligence services and continue monitoring situational awareness on the emerging threats on the Ukraine crisis and its impact.
  3. It is recommended that organizations and their subsidiaries with operations in Ukraine undergo a thorough review of their business continuity and resilience plans.
  4. Organizations with no direct contact/ exposure to Ukraine should consider building a plan to avoid any sort of collateral damage which can arise from attacks in this region.
  5. Consider alternative plans to diversify, identify supply chains that include components from Russia, Ukraine.
  6. To limit & minimize the likelihood of hackers using lateral movement modules, disable PowerShell wherever possible.
  7. It is recommended that organizations, regardless of the geography of their operations, incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  8. Use of network segmentation within converged IT/OT environment as a critical security control based on network type, purpose, access privileges to limit the snowball effect in an event of a compromise of a network segment.
  9. Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defenses based on tactical intelligence provided.
  10. Configure the provided YARA rules as well as Sigma rules in your network defense mechanisms to alert attempts of cyberattacks, monitor anomalies, and restrict traffic across the network.
  11. In addition to applying patches in public-facing infrastructure, organizations should:
    • Consider deploying and configuring a File Integrity Monitoring solution to monitor and/or prevent the creation of files, especially on web servers outside of maintenance windows.
    • Enable enhanced logging and implement sufficient log retention periods to support investigations, including, Microsoft Systems Monitor (Sysmon) on Windows Servers and PowerShell Module, Script Block, and Transcription Logging.
    • Most of all, employ a robust endpoint security option that will allow your IT team to identify what confidential information is being stolen, when, and through what specific channel or device.

 

YARA Rules

Rule 1:
rule APT_UA_Hermetic_Wiper_Feb22_1 {
meta:
description = “Detects Hermetic Wiper malware”
score = 75
hash1 = “0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da”
hash2 = “3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767”
hash3 = “2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf”
hash4 = “1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591”
strings:
$xc1 = { 00 5C 00 5C 00 2E 00 5C 00 50 00 68 00 79 00 73
00 69 00 63 00 61 00 6C 00 44 00 72 00 69 00 76
00 65 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 45 00 50 00 4D 00 4E 00 54 00 44 00 52 00 56
00 5C 00 25 00 75 00 00 00 5C 00 5C 00 2E 00 5C
00 00 00 00 00 25 00 73 00 25 00 2E 00 32 00 73
00 00 00 00 00 24 00 42 00 69 00 74 00 6D 00 61
00 70 00 00 00 24 00 4C 00 6F 00 67 00 46 00 69
00 6C 00 65 }
$sc1 = { 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00
00 64 00 72 00 76 00 00 00 53 00 79 00 73 00 74
00 65 00 6D 00 33 00 32 }

$s1 = “\\\\?\\C:\\Windows\\System32\\winevt\\Logs” wide fullword
$s2 = “\\\\.\\EPMNTDRV\\%u” wide fullword
$s3 = “DRV_XP_X64” wide fullword
$s4 = “%ws%.2ws” wide fullword

$op1 = { 8b 7e 08 0f 57 c0 8b 46 0c 83 ef 01 66 0f 13 44 24 20 83 d8 00 89 44 24 18 0f 88 3b 01 00 00 }
$op2 = { 13 fa 8b 55 f4 4e 3b f3 7f e6 8a 45 0f 01 4d f0 0f 57 c0 }
condition:
( uint16(0) == 0x5a53 or uint16(0) == 0x5a4d ) and
filesize < 400KB and ( 1 of ($x*) or 3 of them )
}

Rule 2:
rule APT_UA_Hermetic_Wiper_Artefacts_Feb22_1 {
meta:
description = “Detects artefacts found in Hermetic Wiper malware related intrusions”
score = 75
strings:
$sx1 = “/c powershell -c \”rundll32 C:\\windows\\system32\\comsvcs.dll MiniDump” ascii wide
$sx2 = “appdata\\local\\microsoft\\windows\\winupd.log” ascii wide
$sx3 = “AppData\\Local\\Microsoft\\Windows\\Winupd.log” ascii wide
$sx4 = “CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1” ascii wide
$sx5 = “\\policydefinitions\\postgresql.exe” ascii wide

$sx6 = “powershell -v 2 -exec bypass -File text.ps1” ascii wide
$sx7 = “powershell -exec bypass gp.ps1” ascii wide
$sx8 = “powershell -exec bypass -File link.ps1″ ascii wide

/* 16 is the prefix of an epoch timestamp that shouldn’t change until the 14th of November 2023 */
$sx9 = ” 1> \\\\127.0.0.1\\ADMIN$\\__16″ ascii wide

$sa1 = “(New-Object System.Net.WebClient).DownloadFile(” ascii wide
$sa2 = “CSIDL_SYSTEM_DRIVE\\temp\\” ascii wide
$sa3 = “1> \\\\127.0.0.1\\ADMIN$” ascii wide
condition:
1 of ($sx*) or all of ($sa*)
}

Rule 3:
rule APT_UA_Hermetic_Wiper_Scheduled_Task_Feb22_1 {
meta:
description = “Detects scheduled task pattern found in Hermetic Wiper malware related intrusions”
score = 85
strings:
$a0 = “<Task version=” ascii wide

$sa1 = “CSIDL_SYSTEM_DRIVE\\temp” ascii wide
$sa2 = “postgresql.exe 1> \\\\127.0.0.1\\ADMIN$” ascii wide
$sa3 = “cmd.exe /Q /c move CSIDL_SYSTEM_DRIVE” ascii wide
condition:
$a0 and 1 of ($s*)
}

Rule 4:
rule HermeticWiper {
meta:
description = “Detecting variants of Hermetic Wiper malware discovered in UA”
malware_type = “Trojan”

strings:
$0 = {E4B5518CD941310A015E4AF8E5968C8231492FE19246A293A569D5D7A36F56EB2FC5B68FFF6F3359C19AF6806920C3FE6628F90A75440E6616297A031BA6075100D72DFAA9829E772E45D77B89F862081EAFDB19B4B2DCEF3F273FF645ACCEAA4B991F98373973C0FB25829E860D9BC195EF1A0AD9219456AD077D42868EE03EE00E88D04C434BA97E88DF99273A35E2C668A1C69954B4762390ABDFBE4CD4AF}
$1 = {90506F1C825F7AE0D8605F5C627CA325BFF199AB60A63DE8A90E923F4B18D7FB039E1DEC89D573AAB0A14C1D4BA70EB444753A41C03082A60CB4DB551393F2C50988A3181E7F31D01B5AAD94070432D98F18655AB8A555919FEFEA9DE1EDF1}
$2 = {D5EEF61336015A85FF04ED298A6BDD6742FF153E33DAF9B383A5FFDCE7E64D47748DB5FF2609DF9BD5C66735FF6916797B2D365313FF1461EAEB9DAEA754FF6D4D55D1956CC8CBFF75C10CE74BF88C8DFF3B553B839D42609FFF2916227230}
$3 = {6C750DDC932124500CE9B5AB91CE101BE9AD348220E9423124512282373675152281023428825C51770FE9841F853375125382F732750A5B83F60FEB6AEE2282647462228269745AEE22826F7452228275744AEE2282787442}
$4 = {19A8A063FFAAAF6C1E7F78A896FFFA5C8F30BA98B69CFF1961E107BEB7636AFF9EA56A4FC4EDE3F1FF295235ACD0185726FFADA6B8CB54B342C9FF86F58524DC91617BFFB4388DBE01B6CF86}
$5 = {50C449606B20184A6328556032197660AAF9507861609F6160640560B4546160C3A194056070C4A09EC4A01A0461A4C4A0831B16600561916069A291607061C09160AA1CB6204A}
$6 = {FFEB19D2636B8B95273156BB63E8C78470D55970F47CF26574B46DE86EE084704590CA8053F15320258BBD1AACF18B04F2E965C6605CB10880B7E8FCF53DF5EB0621635EFF}
$7 = {7E31126E14B8FF98554F6FCFB64207FFCF8D93B2573609C2FF99E4409F73BB9322FF1E5E380DC0BBABCAFF4B901EDF61BD6A68FFEE3253728C7769ABFF7BCDA939C959A282}
$8 = {1970FFC6F8AA7C32EE693CFF369579E5355EF62CFF682CEAF20BA3EA1CFF1AAC638666431B20FF54293D1E709C231AFFCD11B55599F64CB9FF1E5A9015DC867F}
$9 = {8DFF93B2573609C299E4FF409F73BB93221E5EFF380DC0BBABCA4B90FF1EDF61BD6A68EE32FF53728C7769AB7BCDFFA939C959A282D312FF5DD04F0370CE811F}
$10 = {DF5519064E31101CF3DA96C15FF96728B708F358F51759E3A22FFA1CF1BB986A2038D6753E6BF037945B8469ADF20BAB71E10F3DE27735F640704C970DFE8672}
condition:

uint16(0) == 0x5a4d and
filesize < 200KB and
all of them
}

Rule 5:
rule Win32_Trojan_HermeticWiper : tc_detection malicious
{
meta:
category            = “MALWARE”
malware             = “HERMETICWIPER”
description         = “Yara rule that detects HermeticWiper trojan.”

tc_detection_type   = “Trojan”
tc_detection_name   = “HermeticWiper”
tc_detection_factor = 5

strings:
$corrupt_physical_drive = {
55 8B EC 81 EC ?? ?? ?? ?? 53 56 57 51 68 ?? ?? ?? ?? 0F 57 C0 89 55 ?? 8D 85 ?? ??
?? ?? C7 45 ?? ?? ?? ?? ?? 68 ?? ?? ?? ?? 33 F6 66 0F D6 45 ?? 33 FF 89 75 ?? 50 0F
11 45 ?? 89 7D ?? 0F 11 45 ?? FF 15 ?? ?? ?? ?? 83 C4 ?? 8D 45 ?? 8D 55 ?? 8D 8D ??
?? ?? ?? 50 E8 ?? ?? ?? ?? 8B D8 83 FB ?? 0F 84 ?? ?? ?? ?? 85 DB 0F 84 ?? ?? ?? ??
BF ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 6A ?? 8B F0 8D 45 ??
50 57 56 6A ?? 6A ?? 68 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ??
75 ?? 66 0F 1F 44 00 ?? 56 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ?? ?? ?? ?? 81 C7 ?? ??
?? ?? 33 F6 81 FF ?? ?? ?? ?? 0F 83 ?? ?? ?? ?? 57 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15
?? ?? ?? ?? 8B F0 85 F6 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 57 56 6A ?? 6A ?? 68 ??
?? ?? ?? 53 FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 83 F8 ?? 74 ?? 85 F6 0F 84 ?? ?? ??
?? 8B 06 C7 45 ?? ?? ?? ?? ?? 83 F8 ?? 74 ?? 85 C0 74 ?? 83 F8 ?? 0F 85 ?? ?? ?? ??
83 7E ?? ?? C7 45 ?? ?? ?? ?? ?? 0F 86 ?? ?? ?? ?? 8B 55 ?? 8D 46 ?? 89 45 ?? 66 90
8B 00 85 C0 74 ?? 83 F8 ?? 0F 85 ?? ?? ?? ?? 52 6A ?? FF 15 ?? ?? ?? ?? 50 FF 15 ??
?? ?? ?? 8B F8 89 7D ?? 85 FF 0F 84 ?? ?? ?? ?? 8B 45 ?? 6A ?? 6A ?? FF 70 ?? FF 70
?? 53 FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 6A ?? 8D 45 ?? 50 FF 75 ?? 57 53 FF
15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 81 FA ?? ?? ?? ?? 72 ?? 66 83 7F ??
?? 75 ?? 85 D2 0F B7 C2 B9 ?? ?? ?? ?? 0F 45 C8 66 89 4F ?? 8B 45 ?? FF 70 ?? FF 70
?? FF 75 ?? FF 75 ?? 57 53 FF 55 ?? 8B 55 ?? 8B 4D ?? 8B 45 ?? 41 05 ?? ?? ?? ?? 89
4D ?? 89 45 ?? 3B 4E ?? 0F 82 ?? ?? ?? ?? 8B 7D ?? EB ?? FF 15 ?? ?? ?? ?? 33 FF 85
DB 74 ?? 83 FB ?? 74 ?? 53 FF 15 ?? ?? ?? ?? 8B 1D ?? ?? ?? ?? 85 F6 74 ?? 56 6A ??
FF D3 8B 35 ?? ?? ?? ?? 50 FF D6 EB ?? FF 15 ?? ?? ?? ?? 8B 7D ?? EB ?? 33 C0 5F 5E
5B 8B E5 5D C2 ?? ?? 8B 35 ?? ?? ?? ?? 85 FF 74 ?? 57 6A ?? FF D3 50 FF D6 8B 45 ??
5F 5E 5B 8B E5 5D C2
}

condition:
uint16(0) == 0x5A4D and
(
$corrupt_physical_drive
)
}

Source: Surface Web

 

Sigma Rules

Rule 1:
title: Execution of Suspicious File Type Extension
id: c09dad97-1c78-4f71-b127-7edb2b8e491a
status: experimental
description: Checks whether the image specified in a process creation event doesn’t refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
tags:
– attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
known_image_extension:
Image|endswith:
– ‘.exe’
– ‘.tmp’ # sadly many installers use this extension
filter_null:
Image: null
filter_image: # Windows utilities without extension
Image:
– ‘Registry’
– ‘MemCompression’
filter_empty:
Image:
– ‘-‘
– ”
filter_starts:
Image|startswith: ‘C:\Windows\Installer\MSI’
filter_pstarts:
ParentImage|startswith:
– ‘C:\ProgramData\Avira\’
– ‘C:\Windows\System32\DriverStore\FileRepository\’
filter_screensaver:
Image|endswith: ‘.scr’
filter_nvidia:
Image|contains: ‘NVIDIA\NvBackend\’
Image|endswith: ‘.dat’
filter_com:
Image|startswith:
– ‘C:\Windows\System32\’
– ‘C:\Windows\SysWOW64\’
Image|endswith: ‘.com’
filter_winscp:
Image|endswith: ‘\WinSCP.com’
filter_vscode:
Image|contains|all:
– ‘C:\Users\’
– ‘\AppData\’
– ‘.tmp’
– ‘CodeSetup’
filter_libreoffice:
Image|endswith: ‘\program\soffice.bin’
filter_emc_networker:
Image:
– ‘C:\Program Files\EMC NetWorker\Management\GST\apache\cgi-bin\update_jnlp.cgi’
– ‘C:\Program Files (x86)\EMC NetWorker\Management\GST\apache\cgi-bin\update_jnlp.cgi’
filter_winpakpro:
Image|startswith:
– ‘C:\Program Files (x86)\WINPAKPRO\’
– ‘C:\Program Files\WINPAKPRO\’
Image|endswith: ‘.ngn’
filter_myq_server:
Image:
– ‘C:\Program Files (x86)\MyQ\Server\pcltool.dll’
– ‘C:\Program Files\MyQ\Server\pcltool.dll’
filter_visualstudio:
Image|startswith:
– ‘C:\Program Files\Microsoft Visual Studio\’
– ‘C:\Program Files (x86)\Microsoft Visual Studio’
Image|endswith: ‘.com’
filter_msi_rollbackfiles:
Image|startswith: ‘C:\Config.Msi\’
Image|endswith:
– ‘.rbf’
– ‘.rbs’
condition: not known_image_extension and not 1 of filter*
falsepositives:
– unknown
level: high

Rule 2:
title: Execution Of Not Existing File
id: 71158e3f-df67-472b-930e-7d287acaa3e1
status: experimental
description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
tags:
– attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
image_absolute_path:
Image|contains: ‘\’
filter_null:
Image: null
filter_empty:
Image:
– ‘-‘
– ”
filter_4688:
– Image: ‘Registry’
– CommandLine: ‘Registry’
condition: not image_absolute_path and not 1 of filter*
falsepositives:
– unknown
level: high

Source: Surface Web

 

 STRATEGIC RECOMMENDATION

  1. Deploy Zero Trust Policy that leverages tools like security information management, advanced security analytics platforms, security user behaviour analytics, and other analytics systems to help the organization’s security personnel observe in real-time what is happening within their networks so they can orient defences more intelligently.
  2. Establish a security framework to reduce risk levels and exposure to vulnerabilities.

 

 MANAGEMENT RECOMMENDATION

  1. Conduct thorough identification and prioritization of cyber risks through risk assessments, vulnerability assessments, and system reviews.
  2. Conduct periodic Vulnerability Assessment and Penetration Testing to safeguard the exposed assets.
  3. Regularly reinforce awareness of phishing attempts with end-users across the environment and emphasize the human weakness in regular mandatory information security training sessions.

 

 TACTICAL RECOMMENDATION

  1. Immediately apply IoC to IPS/IDS systems to thwart inbound packets that may be suspect.
  2. Apply filters based on IoC to SIEM systems to detect of inbound or outbound traffic on systems that contain sensitive information, particularly institutional proprietary data.
  3. Improve signature detection on IPS/IDS for now backdoor/malware traffic as designated by IoC provided.
  4. Ensure all applications/hardware are updated to their latest versions – this is the best way to flush out exploitable vulnerabilities.
  5. Secure your organization’s internet-facing properties with robust security protocols and encryption, including authentication or access credentials configuration, to ensure that critical information stored in databases/servers is always safe.
  6. Ensure that the organizational systems are protected with the updated versions of firewall, and anti-malware/anti-virus software.