With the rise of cyberwarfare against Ukraine and Russia, one could agree that there could be potential blowback from the sanctions that the United States has placed on the country of Russia. Some of the attacks that have been observed against Ukraine are attacks that include data wiping malware, such as HermeticWiper, Whispergate, and IsaacWiper. There have also been ransomware groups being seen as supporting one government or another. The Conti Team, a ransomware group, has stated that they would see any action of the west against, “Russian speaking” countries to be responded to with hostile intent. Anonymous stating, shortly after the urgent call to cyber arms from within and around Ukraine, Anonymous declared, “war” against Russia, as well as many other groups declaring allegiance to one side or the other. RSM Defense has also linked below the complete Conti Team leaked message traffic. With the hacking community fighting wars in the cyber domain; there is cause for concern with United States businesses and their cybersecurity inviolability.
While there is no single action to prepare for possible cyberattacks from Russia, Cybersecurity & Infrastructure Security Agency (CISA) have compiled recommendations for preparing an organization’s cybersecurity. Although, CISA has provided recommendations, the recommendations are broad. The reason for the broad topic of preparations is due to the variety and how vast the tactics that Russian actors have been observed using in the past. In general, CISA put out the “Shields Up”, with the guidance of using multifactor authentication(MFA), ensuring that software is up to date, prioritizing updates for known exploited vulnerabilities, disabling ports and protocols not needed for business purposes, ensure training for cybersecurity/IT professionals are focused on identifying any unexpected or unusual behavior, using updated antivirus with current malware signatures, designate a crisis response team for potential incidents and assure key personnel availability to respond to the incident, test backup procedures to guarantee critical data restoration, as well as ensuring separation of backups from the rest of the network. If using industrial control systems, conduct test for ability to utilize manual controls for critical functions to remain operable. According to the guidance that was given by the CISA Alert (AR21-13A) released 13 January 2021 used in tandem with the “Shields Up” guidance, it is a great start in preparation for what may come. RSM Defense highly recommends conducting a third-party vendor assessment of your organizations critical supply chains to determine what exposure your organization may have in the region.
RSM Defense is aware of reporting associated with ongoing HermeticWiper (Foxblade) attacks in Ukraine as well as the recent activities from defacement of Ukrainian government websites and recent phishing campaigns. The main concern that United States businesses is the potential for Russian threat actors as well as proxy actors could use the same or similar malware against the United States that were used against Ukraine. Some of the wiper malware components include HermeticWizard and HermeticRansom. HermeticWizard allows Hermetic Wiper to be propagated to and deployed on additional systems within affected environments. It performs network scanning activities to take an inventory of the environment and propagates the HermeticWiper malware to additional systems via SMB or WMI. HermeticRansom is a ransomware family that has been observed being deployed at the same time as the HermeticWiper possibly as a diversionary tactic. IsaacWiper is an additional wiper responsible for the destruction of systems and data.
The HermeticWiper/HermeticWizard/HermeticRansom/IsaacWiper IOCs labeled below. Yara Ruleset for WhisperGate is below as well.
Observables
Wiper EXEs
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
Sysinternals SDelete
49E0BA14923DA608ABCAE04A9A56B0689FE6F5AC6BDF0439A46CE35990AC53EE
EaseUS Partition Master drivers
b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1
b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd
e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5
fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d
8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b
23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4
96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84
2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d
SHA1:
Hermetic wiper
com.exe 912342F1C840A42F6B74132F8A7C4FFE7D40FB77
conhosts.exe 61B25D11392172E587D8DA3045812A66C3385451
HermeticWizard
c9EEAF78C9A12.dat 3C54C9A49A8DDCA02189FE15FEA52FE24F41A86F
HermeticRansom
cc2.exe F32D791EC9E6385A91B45942C230F52AFF1626DF
IsaacWiper
cl64.dll AD602039C6F0237D4A997D5640E92CE5E2B3BBA3
cld.dll 736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950
clean.exe E9B96E9B86FAD28D950CA428879168E0894D854F
Legitimate RemCom remote access tool
XqoYMlBX.exe 23873BF2670CF64C2440058130548D4E4DA412DD
WhisperGate Yara Rules
rule MAL_WhisperGate_Stage3_File_Corruptor{
meta:
author = “”
date = “”
description = “Detects the file corruptor component of WhisperGate’s stage 3 payload”
version = “1.0”
reference = “https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3”
hash = “34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907”
MALWARE = “WhisperGate”
THREATACTOR = “DEV-0586”
MALWARE_ID = “lStsKc”
THREATACTOR_ID = “lStsKd”
strings:
$s1 = “cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”%s\”” fullword ascii
$s2 = “%.*s.%x” fullword wide
$s3 = “HOMEDRIVE” fullword wide
$s4 = “A:\\Windows” fullword wide
$s5 = “A:\\*” fullword wide
/*
Overwrite first 1MiB of file with 0xcc
0040153f e8 9c 2a CALL MSVCRT.DLL::_wfopen FILE * _wfopen(wchar_t * _Filena
00 00
00401544 c7 04 24 MOV dword ptr [ESP]=>Stack[-0x40],0x100000
00 00 10 00
0040154b 89 45 e4 MOV dword ptr [EBP + Stack[-0x20]],EAX
0040154e e8 45 2a CALL MSVCRT.DLL::malloc void * malloc(size_t _Size)
00 00
00401553 89 c2 MOV EDX,EAX
00401555 b9 00 00 MOV ECX,0x100000
10 00
0040155a b0 cc MOV AL,0xcc
0040155c 89 d7 MOV EDI,EDX
0040155e 89 55 e0 MOV dword ptr [EBP + Stack[-0x24]],EDX
00401561 f3 aa STOSB.REP ES:EDI
00401563 8b 45 e4 MOV EAX,dword ptr [EBP + Stack[-0x20]]
00401566 89 14 24 MOV dword ptr [ESP]=>Stack[-0x40],EDX
00401569 c7 44 24 MOV dword ptr [ESP + Stack[-0x38]],0x100000
08 00 00
10 00
00401571 c7 44 24 MOV dword ptr [ESP + Stack[-0x3c]],0x1
04 01 00
00 00
00401579 89 44 24 0c MOV dword ptr [ESP + Stack[-0x34]],EAX
0040157d e8 1e 2a CALL MSVCRT.DLL::fwrite size_t fwrite(void * _Str, size_
00 00
00401582 8b 45 e4 MOV EAX,dword ptr [EBP + Stack[-0x20]]
00401585 89 04 24 MOV dword ptr [ESP]=>Stack[-0x40],EAX
00401588 e8 23 2a CALL MSVCRT.DLL::fclose int fclose(FILE * _File)
00 00
0040158d 89 74 24 04 MOV dword ptr [ESP + Stack[-0x3c]],ESI
00401591 89 1c 24 MOV dword ptr [ESP]=>Stack[-0x40],EBX
00401594 e8 37 2a CALL MSVCRT.DLL::_wrename int _wrename(wchar_t * _OldFilen
00 00
00401599 89 34 24 MOV dword ptr [ESP]=>Stack[-0x40],ESI
0040159c e8 07 2a CALL MSVCRT.DLL::free void free(void * _Memory)
00 00
*/
$c1 = { e8 ?? ?? ?? ?? c7 04 ?? 00 00 10 00 89 4? ?? e8 ?? ?? ?? ?? 89 c2 b9 00 00 10 00 b0 cc 89 d7 89 5? ?? f3 aa 8b 4? ?? 89 14 ?? c7 44 ?? ?? 00 00 10 00 c7 44 ?? ?? 01 00 00 00 89 44 ?? ?? e8 ?? ?? ?? ?? 8b 4? ?? 89 04 ?? e8 ?? ?? ?? ?? 89 74 ?? ?? 89 1c ?? e8 ?? ?? ?? ?? 89 34 ?? e8 }
condition:
uint16(0) == 0x5a4d
and filesize > 20KB
and all of them
}
rule MAL_WhisperGate_Stage3_Packed
{
meta:
author = “”
date = “”
description = “Detect the packed version of WhisperGate stage 3 based on decoding routines and import names”
version = “1.0”
reference = “https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/”
hash = “a31b7ea6a93b7ae9bd752033a1bc0b722483866d0c836f4d76c0b24fff3932af”
hash = “9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d”
MALWARE = “WhisperGate”
THREATACTOR = “DEV-0586”
MALWARE_ID = “lStsKc”
THREATACTOR_ID = “lStsKd”
strings:
$repeated_loop = {28 ?? ?? ?? 06 28 ?? ?? ?? 06 72 ?? ?? ?? 70 14 28 ?? ?? ?? 06 2A}
//call class ‘\u0002\u2008’ ‘\u0005\u2005\u2000’::’\u000e\u2005\u2000′()
//call class [mscorlib]System.IO.Stream ‘\u0005\u2005\u2000’::’\u000f\u2005\u2000′()
//ldstr “#6k@H!uq=A”
//ldnull
//call instance void ‘\u0002\u2008’::’\u0002′(class [mscorlib]System.IO.Stream, string, object[])
$dn_FromBase64String = { 20 ?? ?? ?? A6 28 ?? ?? ?? 06 13 05 11 05 28 ?? ?? ?? 0A 0D 09 28 ?? ?? ?? 06 09 73 ?? ?? ?? 06 13 06 02 8E 69 13 07 16 0B 1F 79 13 04 1E 8D ?? ?? ?? 01 }
// IL_0000: ldc.i4 -1506769664
// IL_0005: call string ‘\u000f\u2004\u2000’::’\u0002′(int32)
// IL_000A: stloc.s V_5
// IL_000C: ldloc.s V_5
// IL_000E: call uint8[] [mscorlib]System.Convert::FromBase64String(string)
// IL_0013: stloc.3
// IL_0014: ldloc.3
// IL_0015: call void ‘\u0003\u2005\u2000’::’\u0002′(uint8[])
// IL_001A: ldloc.3
// IL_001B: newobj instance void ‘\u000e\u2004\u2000’/’\u0005’::.ctor(uint8[])
// IL_0020: stloc.s V_6
// IL_0022: ldarg.0
// IL_0023: ldlen
// IL_0024: conv.i4
// IL_0025: stloc.s V_7
// IL_0027: ldc.i4.0
// IL_0028: stloc.1
// IL_0029: ldc.i4.s 121
// IL_002B: stloc.s V_4
// IL_002D: ldc.i4.8
// IL_002E: newarr [mscorlib]System.Byte
$dn_GetBytes = {14 0A FE 13 7E ?? ?? ?? 04 2D 1A 02 7B ?? ?? ?? 04 03 6F ?? ?? ?? 0A 0A DE 0B 26 17 FE 13 80 ?? ?? ?? 04 DE 00 06 2D 2A 02 02 7B ?? ?? ?? 04 02 7B ?? ?? ?? 04 02 7B ?? ?? ?? 04 73 ?? ?? ?? 06 7D ?? ?? ?? 04 02 7B ?? ?? ?? 04 03 6F ?? ?? ?? 0A 0A 06 2A}
// IL_0000: ldnull
// IL_0001: stloc.0
// IL_0002: volatile.
// IL_0004: ldsfld bool modreq([mscorlib]System.Runtime.CompilerServices.IsVolatile) ‘\u0002\u2001′::’\u0002’
// IL_0009: brtrue.s IL_0025
// IL_000B: ldarg.0
// IL_000C: ldfld class [mscorlib]System.Security.Cryptography.DeriveBytes ‘\u0002\u2001′::’\u0003’
// IL_0011: ldarg.1
// IL_0012: callvirt instance uint8[] [mscorlib]System.Security.Cryptography.DeriveBytes::GetBytes(int32)
// IL_0017: stloc.0
// IL_0018: leave.s IL_0025
// IL_001A: pop
// IL_001B: ldc.i4.1
// IL_001C: volatile.
// IL_001E: stsfld bool modreq([mscorlib]System.Runtime.CompilerServices.IsVolatile) ‘\u0002\u2001′::’\u0002’
// IL_0023: leave.s IL_0025
// IL_0025: ldloc.0
// IL_0026: brtrue.s IL_0052
// IL_0028: ldarg.0
// IL_0029: ldarg.0
// IL_002A: ldfld uint8[] ‘\u0002\u2001′::’\u0005’
// IL_002F: ldarg.0
// IL_0030: ldfld uint8[] ‘\u0002\u2001′::’\b’
// IL_0035: ldarg.0
// IL_0036: ldfld int32 ‘\u0002\u2001′::’\u0006’
// IL_003B: newobj instance void ‘\u0003\u2000’::.ctor(uint8[], uint8[], int32)
// IL_0040: stfld class [mscorlib]System.Security.Cryptography.DeriveBytes ‘\u0002\u2001′::’\u0003’
// IL_0045: ldarg.0
// IL_0046: ldfld class [mscorlib]System.Security.Cryptography.DeriveBytes ‘\u0002\u2001′::’\u0003’
// IL_004B: ldarg.1
// IL_004C: callvirt instance uint8[] [mscorlib]System.Security.Cryptography.DeriveBytes::GetBytes(int32)
// IL_0051: stloc.0
// IL_0052: ldloc.0
// IL_0053: ret
$s_resource = “3System.Resources.Tools.StronglyTypedResourceBuilder” ascii
$s_import1 = “psapi.dll” ascii wide
$s_import2 = “ncrypt.dll” ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 5MB and
all of them and
#repeated_loop >= 6 and
pe.timestamp == 1641825571 and
pe.version_info[“OriginalFilename”] == “Frkmlkdkdubkznbkmcf.dll”
}
rule MAL_WhisperGate_Stage2_Loader
{
meta:
author = “”
date = “”
description = “Detect the WhisperGate stage 2 downloader based on download strings, embedded powershell commands, and code used to loop through the file system”
version = “1.0”
reference = “https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/”
hash = “dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78”
hash = “1d776e7fb062e153d3a62e1ebe1f2eec30ea13fa4b1b8749935f1856be4182d9”
MALWARE = “WhisperGate”
THREATACTOR = “DEV-0586”
MALWARE_ID = “lStsKc”
THREATACTOR_ID = “lStsKd”
strings:
$s1 = “DxownxloxadDxatxxax” wide
$s2 = “https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg” wide
$s3 = “powershell” wide
$s4 = “-enc UwB0AGEAcgB0AC” wide
$s5 = “0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==” wide
$s6 = “m_72682b0ae32c46c6ac429fca42a9cafd” ascii
$s7 = “ConcatItem” ascii
$s8 = “k4b57157f019944a3b5052820eba3a594” ascii
$s9 = “ResetItem” ascii
$s10 = “FlushItem” ascii
$s11 = “<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}” ascii
$call_delete_item = {45 0? 00 00 00 ?? 00 00 00 38 ?? 00 00 00 7E ?? 00 00 04 15 39 0? 00 00 00 38 0? 00 00 00 26 38 00 00 00 00 11 00 38 21 00 00 00 13 00 20 ?? ?? ?? 00 7E ?? ?? ?? 04 39 ?? ?? ?? FF 26 20 ?? ?? ?? 00 38 ?? ?? ?? FF 38 ?? ?? ?? FF 2A }
// IL_0000: br IL_0017
// IL_0005: ldloc V_1
// IL_0009: switch (IL_0050)
// IL_0012: br IL_0050
// IL_0017: ldsfld class WindowsFormsApp12.Properties.Settings WindowsFormsApp12.Properties.Settings::’\u0002′
// IL_001C: ldc.i4.m1
// IL_001D: brfalse IL_0027
// IL_0022: br IL_0034
// IL_0027: pop
// IL_0028: br IL_002D
// IL_002D: ldloc.s V_0
// IL_002F: br IL_0055
// IL_0034: stloc.s V_0
// IL_0036: ldc.i4 0
// IL_003B: ldsfld int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_8cca8faf24b940e59b2f8f934cadddc3
// IL_0040: brfalse IL_0009
// IL_0045: pop
// IL_0046: ldc.i4 0
// IL_004B: br IL_0009
// IL_0050: br IL_002D
$flush_item = {38 ?? ?? ?? 00 20 ?? ?? ?? 59 20 ?? ?? ?? 00 62 20 ?? ?? ?? C1 61 80 ?? ?? ?? 04 20 ?? ?? ?? 00 38 ?? ?? ?? FF 20 ?? ?? ?? E2 20 ?? ?? ?? 83 61 20 ?? ?? ?? 61 61 80 ?? ?? ?? 04 20 ?? ?? ?? 00 38 ?? ?? ?? FF 20 ?? ?? ?? 8B 20 ?? ?? ?? 8C 61 20 ?? ?? ?? 07 61 80 ?? ?? ?? 04 20 ?? ?? ?? 00 28 ?? ?? ?? 06 39 ?? ?? ?? FF}
// IL_0142: br IL_0BA5
// IL_0147: ldc.i4 1497743769
// IL_014C: ldc.i4 3
// IL_0151: shl
// IL_0152: ldc.i4 -1056498587
// IL_0157: xor
// IL_0158: stsfld int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_8ac6c3d8f1e740a9aa7b54c9b9a43bb0
// IL_015D: ldc.i4 21
// IL_0162: br IL_0009
// IL_0167: ldc.i4 -500256376
// IL_016C: ldc.i4 -2084986125
// IL_0171: xor
// IL_0172: ldc.i4 1637290875
// IL_0177: xor
// IL_0178: stsfld int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_ab46a928aaf648329f27607fea3fe251
// IL_017D: ldc.i4 42
// IL_0182: br IL_0009
// IL_0187: ldc.i4 -1955513666
// IL_018C: ldc.i4 -1944548225
// IL_0191: xor
// IL_0192: ldc.i4 124368577
// IL_0197: xor
// IL_0198: stsfld int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_b6818e5c954e47d2a048cf4934e48b6e
// IL_019D: ldc.i4 0
// IL_01A2: call class ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’ ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::FlushItem()
// IL_01A7: brfalse IL_0009
$reflect_item = {00 FE 09 00 00 FE 09 01 00 28 19 00 00 0A 2A }
//IL_0000: nop
//IL_0001: ldarg 0
//IL_0005: ldarg 1
//IL_0009: call bool [mscorlib]System.String::op_Equality(string, string)
//IL_000E: ret
condition:
uint16(0) == 0x5a4d and
filesize < 300KB and
10 of them
}
rule MAL_WhisperGate_Stage1_Wiper
{
meta:
author = “”
date = “”
description = “Detect the WhisperGate stage 1 wiper based on the fake ransom note, and code used to overwrite the MBR”
version = “1.0”
reference = “https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/”
hash = “b50fb20396458aec55216cc9f5212162b3459bc769a38e050d4d8c22649888ae”
hash = “a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92”
MALWARE = “WhisperGate”
THREATACTOR = “DEV-0586”
MALWARE_ID = “lStsKc”
THREATACTOR_ID = “lStsKd”
strings:
$target_mbr = “\\\\.\\PhysicalDrive0” wide
$gcc1 = “GCC: (GNU) 6.3.0” ascii
$gcc2 = “GCC: (MinGW.org GCC-6.3.0-1) 6.3.0” ascii
$tox_addr = “8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65” ascii
$bitcoin_addr = “1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv” ascii
$cpuid_basic_info = { f7 c2 00 00 00 01 74 ?? 83 c8 08 55 89 e5 81 ec 00 02 00 00 83 e4 f0 0f ae 04 ?4 8b 9c ?4 c8 00 00 00 81 b4 ?? ?? ?? ?? ?? de c0 13 00 0f ae 0c ?4 89 9c ?? ?? ?? ?? ?? 0f ae 04 ?4 87 9c ?4 c8 00 00 00 0f ae 0c ?4 33 9c ?4 c8 00 00 00 c9 81 fb de c0 13 00 }
//TEST EDX,0x1000000
//JZ LAB_004018cc
//OR EAX,0x8
//PUSH EBP
//MOV EBP,ESP
//SUB ESP,0x200
//AND ESP,0xfffffff0
//FXSAVE [ESP]=>local_210
//MOV EBX,dword ptr [ESP + local_148]
//XOR dword ptr [ESP + local_148],0x13c0de
//FXRSTOR [ESP]=>local_210
//MOV dword ptr [ESP + local_148],EBX
//FXSAVE [ESP]=>local_210
//XCHG dword ptr [ESP + local_148],EBX
//FXRSTOR [ESP]=>local_210
//XOR EBX,dword ptr [ESP + local_148]
//LEAVE
//CMP EBX,0x13c0de
$overwrite_disk = { ff 71 fc 55 89 e5 57 56 51 e8 ?? ?? ?? ?? be 20 40 40 00 29 c4 8d b? ?? ?? ?? ?? e8 ?? ?? ?? ?? b9 00 08 00 00 f3 a5 c7 44 ?4 18 00 00 00 00 c7 44 ?4 14 00 00 00 00 c7 44 ?4 10 03 00 00 00 c7 44 ?4 0c 00 00 00 00 c7 44 ?4 08 03 00 00 00 c7 44 ?4 04 00 00 00 10 c7 04 ?4 64 70 40 00 e8 71 ff ff ff 89 c6 8d 8? ?? ?? ?? ?? 83 ec 1c 89 34 ?4 c7 44 ?4 10 00 00 00 00 c7 44 ?4 0c 00 00 00 00 c7 44 ?4 08 00 02 00 00 89 44 ?4 04 e8 ?? ?? ?? ?? 83 ec 14 89 34 }
// PUSH dword ptr [ECX + local_res0]
// PUSH EBP
// MOV EBP,ESP
// PUSH EDI
// PUSH ESI
// PUSH ECX
// CALL FUN_00401fe0 uint FUN_00401fe0(undefined1 par
// MOV ESI,DAT_00404020 = C88C00EBh
// SUB ESP,EAX
// LEA EDI=>local_2020,[EBP + 0xffffdfe8]
// CALL FUN_00401990 undefined FUN_00401990(void)
// MOV ECX,0x800
// MOVSD.REP ES:EDI,ESI=>DAT_00404020 = C88C00EBh
// MOV dword ptr [ESP + 0x14],0x0
// MOV dword ptr [ESP + 0x10],0x3
// MOV dword ptr [ESP + 0xc],0x0
// MOV dword ptr [ESP + 0x8],0x3
// MOV dword ptr [ESP + 0x4],0x10000000
// MOV dword ptr [ESP],u_\\.\PhysicalDrive0_00407064 = u”\\\\.\\PhysicalDrive0″
// CALL CreateFileW HANDLE CreateFileW(LPCWSTR lpFil
// MOV ESI,EAX
// LEA EAX=>local_2020,[EBP + 0xffffdfe8]
// SUB ESP,0x1c
// MOV dword ptr [ESP],ESI
// MOV dword ptr [ESP + 0x10],0x0
// MOV dword ptr [ESP + 0xc],0x0
// MOV dword ptr [ESP + 0x8],0x200
// MOV dword ptr [ESP + 0x4],EAX
// CALL WriteFile BOOL WriteFile(HANDLE hFile, LPC
// SUB ESP,0x14
// MOV dword ptr [ESP],ESI
// CALL CloseHandle BOOL CloseHandle(HANDLE hObject)
condition:
uint16(0) == 0x5a4d and
filesize < 300KB and
all of them
}
Sources:
- RSM Internal sources
- https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
- https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
- https://www.cisa.gov/shields-up
- https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a
- https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
- https://www.cybersecurity-insiders.com/hacking-group-anonymous-declares-cyber-war-on-russia/
- https://twitter.com/y_advintel/status/1497293187798507525?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1497293187798507525%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fanonymous-hacktivists-ransomware-groups-get-involved-in-ukraine-russia-conflict%2F
- https://github.com/NorthwaveSecurity/complete_translation_leaked_chats_conti_ransomware
Whoarewe?
RSM Defense and our Unit26 security team brings decades of global cyber defense operations experience to your doorsteps. We entered this arena with an innovative cloud-native security solution that aims to stop cyber threats in whatever realm or vertical your business operates, including multi-cloud, third-party hosted, or remote deployments. If you have an existing security stack that is growing, RSM Defense and Unit26 can help manage, triage and respond to your cyber threats within that environment.
If your organization is looking for help with responding to the growing number of cyber threats, let’s get in touch and talk through how we can introduce you to the RSM Defense approach to obtaining a more secured cyber presence.