• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Defense > Blue Team > Russia Ukraine Conflict Observables

Russia Ukraine Conflict Observables

March 9, 2022 By Joel Belton

With the rise of cyberwarfare against Ukraine and Russia, one could agree that there could be potential blowback from the sanctions that the United States has placed on the country of Russia. Some of the attacks that have been observed against Ukraine are attacks that include data wiping malware, such as HermeticWiper, Whispergate, and IsaacWiper. There have also been ransomware groups being seen as supporting one government or another. The Conti Team, a ransomware group, has stated that they would see any action of the west against, “Russian speaking” countries to be responded to with hostile intent. Anonymous stating, shortly after the urgent call to cyber arms from within and around Ukraine, Anonymous declared, “war” against Russia, as well as many other groups declaring allegiance to one side or the other. RSM Defense has also linked below the complete Conti Team leaked message traffic. With the hacking community fighting wars in the cyber domain; there is cause for concern with United States businesses and their cybersecurity inviolability.

While there is no single action to prepare for possible cyberattacks from Russia, Cybersecurity & Infrastructure Security Agency (CISA) have compiled recommendations for preparing an organization’s cybersecurity. Although, CISA has provided recommendations, the recommendations are broad. The reason for the broad topic of preparations is due to the variety and how vast the tactics that Russian actors have been observed using in the past. In general, CISA put out the “Shields Up”, with the guidance of using multifactor authentication(MFA), ensuring that software is up to date, prioritizing updates for known exploited vulnerabilities, disabling ports and protocols not needed for business purposes, ensure training for cybersecurity/IT professionals are focused on identifying any unexpected or unusual behavior, using updated antivirus with current malware signatures, designate a crisis response team for potential incidents and assure key personnel availability to respond to the incident, test backup procedures to guarantee critical data restoration, as well as ensuring separation of backups from the rest of the network. If using industrial control systems, conduct test for ability to utilize manual controls for critical functions to remain operable. According to the guidance that was given by the CISA Alert (AR21-13A) released 13 January 2021 used in tandem with the “Shields Up” guidance, it is a great start in preparation for what may come. RSM Defense highly recommends conducting a third-party vendor assessment of your organizations critical supply chains to determine what exposure your organization may have in the region.

RSM Defense is aware of reporting associated with ongoing HermeticWiper (Foxblade) attacks in Ukraine as well as the recent activities from defacement of Ukrainian government websites and recent phishing campaigns. The main concern that United States businesses is the potential for Russian threat actors as well as proxy actors could use the same or similar malware against the United States that were used against Ukraine. Some of the wiper malware components include HermeticWizard and HermeticRansom. HermeticWizard allows Hermetic Wiper to be propagated to and deployed on additional systems within affected environments. It performs network scanning activities to take an inventory of the environment and propagates the HermeticWiper malware to additional systems via SMB or WMI. HermeticRansom is a ransomware family that has been observed being deployed at the same time as the HermeticWiper possibly as a diversionary tactic. IsaacWiper is an additional wiper responsible for the destruction of systems and data.

The HermeticWiper/HermeticWizard/HermeticRansom/IsaacWiper IOCs labeled below. Yara Ruleset for WhisperGate is below as well.

Observables

Wiper EXEs

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf

3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767

 

Sysinternals SDelete

49E0BA14923DA608ABCAE04A9A56B0689FE6F5AC6BDF0439A46CE35990AC53EE

 

EaseUS Partition Master drivers

b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1

b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd

e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5

fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d

8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b

23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4

96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84

2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d

 

SHA1:

Hermetic wiper

com.exe                        912342F1C840A42F6B74132F8A7C4FFE7D40FB77

conhosts.exe               61B25D11392172E587D8DA3045812A66C3385451

 

HermeticWizard

c9EEAF78C9A12.dat  3C54C9A49A8DDCA02189FE15FEA52FE24F41A86F

 

HermeticRansom

cc2.exe     F32D791EC9E6385A91B45942C230F52AFF1626DF

 

IsaacWiper

cl64.dll          AD602039C6F0237D4A997D5640E92CE5E2B3BBA3

cld.dll            736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950

clean.exe           E9B96E9B86FAD28D950CA428879168E0894D854F

 

Legitimate RemCom remote access tool

XqoYMlBX.exe  23873BF2670CF64C2440058130548D4E4DA412DD

 

WhisperGate Yara Rules

rule MAL_WhisperGate_Stage3_File_Corruptor{

    meta:

        author = “”

        date = “”

        description = “Detects the file corruptor component of WhisperGate’s stage 3 payload”

        version = “1.0”

        reference = “https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3”

        hash = “34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907”

         MALWARE = “WhisperGate”

         THREATACTOR = “DEV-0586”

         MALWARE_ID = “lStsKc”

         THREATACTOR_ID = “lStsKd”

    strings:

        $s1 = “cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”%s\”” fullword ascii

        $s2 = “%.*s.%x” fullword wide

        $s3 = “HOMEDRIVE” fullword wide

        $s4 = “A:\\Windows” fullword wide

        $s5 = “A:\\*” fullword wide

        /*

         Overwrite first 1MiB of file with 0xcc

        0040153f e8 9c 2a        CALL       MSVCRT.DLL::_wfopen                              FILE * _wfopen(wchar_t * _Filena

                 00 00

        00401544 c7 04 24        MOV        dword ptr [ESP]=>Stack[-0x40],0x100000

                 00 00 10 00

        0040154b 89 45 e4        MOV        dword ptr [EBP + Stack[-0x20]],EAX

        0040154e e8 45 2a        CALL       MSVCRT.DLL::malloc                               void * malloc(size_t _Size)

                 00 00

        00401553 89 c2           MOV        EDX,EAX

        00401555 b9 00 00        MOV        ECX,0x100000

                 10 00

        0040155a b0 cc           MOV        AL,0xcc

        0040155c 89 d7           MOV        EDI,EDX

        0040155e 89 55 e0        MOV        dword ptr [EBP + Stack[-0x24]],EDX

        00401561 f3 aa           STOSB.REP  ES:EDI

        00401563 8b 45 e4        MOV        EAX,dword ptr [EBP + Stack[-0x20]]

        00401566 89 14 24        MOV        dword ptr [ESP]=>Stack[-0x40],EDX

        00401569 c7 44 24        MOV        dword ptr [ESP + Stack[-0x38]],0x100000

                 08 00 00

                 10 00

        00401571 c7 44 24        MOV        dword ptr [ESP + Stack[-0x3c]],0x1

                 04 01 00

                 00 00

        00401579 89 44 24 0c     MOV        dword ptr [ESP + Stack[-0x34]],EAX

        0040157d e8 1e 2a        CALL       MSVCRT.DLL::fwrite                               size_t fwrite(void * _Str, size_

                 00 00

        00401582 8b 45 e4        MOV        EAX,dword ptr [EBP + Stack[-0x20]]

        00401585 89 04 24        MOV        dword ptr [ESP]=>Stack[-0x40],EAX

        00401588 e8 23 2a        CALL       MSVCRT.DLL::fclose                               int fclose(FILE * _File)

                 00 00

        0040158d 89 74 24 04     MOV        dword ptr [ESP + Stack[-0x3c]],ESI

        00401591 89 1c 24        MOV        dword ptr [ESP]=>Stack[-0x40],EBX

        00401594 e8 37 2a        CALL       MSVCRT.DLL::_wrename                             int _wrename(wchar_t * _OldFilen

                 00 00

        00401599 89 34 24        MOV        dword ptr [ESP]=>Stack[-0x40],ESI

        0040159c e8 07 2a        CALL       MSVCRT.DLL::free                                 void free(void * _Memory)

                 00 00

        */

        $c1 = { e8 ?? ?? ?? ?? c7 04 ?? 00 00 10 00 89 4? ?? e8 ?? ?? ?? ?? 89 c2 b9 00 00 10 00 b0 cc 89 d7 89 5? ?? f3 aa 8b 4? ?? 89 14 ?? c7 44 ?? ?? 00 00 10 00 c7 44 ?? ?? 01 00 00 00 89 44 ?? ?? e8 ?? ?? ?? ?? 8b 4? ?? 89 04 ?? e8 ?? ?? ?? ?? 89 74 ?? ?? 89 1c ?? e8 ?? ?? ?? ?? 89 34 ?? e8 }

    condition:

        uint16(0) == 0x5a4d

        and filesize > 20KB

        and all of them

}

 

rule MAL_WhisperGate_Stage3_Packed

{

    meta:

        author = “”

        date = “”

        description = “Detect the packed version of WhisperGate stage 3 based on decoding routines and import names”

        version = “1.0”

        reference = “https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/”

        hash = “a31b7ea6a93b7ae9bd752033a1bc0b722483866d0c836f4d76c0b24fff3932af”

        hash = “9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d”

         MALWARE = “WhisperGate”

         THREATACTOR = “DEV-0586”

         MALWARE_ID = “lStsKc”

         THREATACTOR_ID = “lStsKd”

    strings:

        $repeated_loop = {28 ?? ?? ?? 06 28 ?? ?? ?? 06 72 ?? ?? ?? 70 14 28 ?? ?? ?? 06 2A}

            //call      class ‘\u0002\u2008’ ‘\u0005\u2005\u2000’::’\u000e\u2005\u2000′()

            //call      class [mscorlib]System.IO.Stream ‘\u0005\u2005\u2000’::’\u000f\u2005\u2000′()

            //ldstr     “#6k@H!uq=A”

            //ldnull

            //call      instance void ‘\u0002\u2008’::’\u0002′(class [mscorlib]System.IO.Stream, string, object[])

        $dn_FromBase64String = { 20 ?? ?? ?? A6  28 ?? ?? ?? 06 13 05 11 05 28 ?? ?? ?? 0A 0D 09 28 ?? ?? ?? 06 09 73 ?? ?? ?? 06 13 06 02 8E 69 13 07 16 0B 1F 79 13 04 1E 8D ?? ?? ?? 01 }

            // IL_0000: ldc.i4    -1506769664

            // IL_0005: call      string ‘\u000f\u2004\u2000’::’\u0002′(int32)

            // IL_000A: stloc.s   V_5

            // IL_000C: ldloc.s   V_5

            // IL_000E: call      uint8[] [mscorlib]System.Convert::FromBase64String(string)

            // IL_0013: stloc.3

            // IL_0014: ldloc.3

            // IL_0015: call      void ‘\u0003\u2005\u2000’::’\u0002′(uint8[])

            // IL_001A: ldloc.3

            // IL_001B: newobj    instance void ‘\u000e\u2004\u2000’/’\u0005’::.ctor(uint8[])

            // IL_0020: stloc.s   V_6

            // IL_0022: ldarg.0

            // IL_0023: ldlen

            // IL_0024: conv.i4

            // IL_0025: stloc.s   V_7

            // IL_0027: ldc.i4.0

            // IL_0028: stloc.1

            // IL_0029: ldc.i4.s  121

            // IL_002B: stloc.s   V_4

            // IL_002D: ldc.i4.8

            // IL_002E: newarr    [mscorlib]System.Byte

        $dn_GetBytes = {14 0A FE 13 7E ?? ?? ?? 04 2D 1A 02 7B ?? ?? ?? 04 03 6F ?? ?? ?? 0A 0A DE 0B 26 17 FE 13  80 ?? ?? ?? 04  DE 00 06  2D 2A  02 02  7B ?? ?? ?? 04  02  7B ?? ?? ?? 04  02  7B ?? ?? ?? 04  73 ?? ?? ?? 06  7D ?? ?? ?? 04  02  7B ?? ?? ?? 04  03  6F ?? ?? ?? 0A  0A  06  2A}

            // IL_0000: ldnull

            // IL_0001: stloc.0

            // IL_0002: volatile.

            // IL_0004: ldsfld    bool modreq([mscorlib]System.Runtime.CompilerServices.IsVolatile)  ‘\u0002\u2001′::’\u0002’

            // IL_0009: brtrue.s  IL_0025

            // IL_000B: ldarg.0

            // IL_000C: ldfld     class [mscorlib]System.Security.Cryptography.DeriveBytes ‘\u0002\u2001′::’\u0003’

            // IL_0011: ldarg.1

            // IL_0012: callvirt  instance uint8[] [mscorlib]System.Security.Cryptography.DeriveBytes::GetBytes(int32)

            // IL_0017: stloc.0

            // IL_0018: leave.s   IL_0025

            // IL_001A: pop

            // IL_001B: ldc.i4.1

            // IL_001C: volatile.

            // IL_001E: stsfld    bool modreq([mscorlib]System.Runtime.CompilerServices.IsVolatile)  ‘\u0002\u2001′::’\u0002’

            // IL_0023: leave.s   IL_0025

            // IL_0025: ldloc.0

            // IL_0026: brtrue.s  IL_0052

            // IL_0028: ldarg.0

            // IL_0029: ldarg.0

            // IL_002A: ldfld     uint8[] ‘\u0002\u2001′::’\u0005’

            // IL_002F: ldarg.0

            // IL_0030: ldfld     uint8[] ‘\u0002\u2001′::’\b’

            // IL_0035: ldarg.0

            // IL_0036: ldfld     int32 ‘\u0002\u2001′::’\u0006’

            // IL_003B: newobj    instance void ‘\u0003\u2000’::.ctor(uint8[], uint8[], int32)

            // IL_0040: stfld     class [mscorlib]System.Security.Cryptography.DeriveBytes ‘\u0002\u2001′::’\u0003’

            // IL_0045: ldarg.0

            // IL_0046: ldfld     class [mscorlib]System.Security.Cryptography.DeriveBytes ‘\u0002\u2001′::’\u0003’

            // IL_004B: ldarg.1

            // IL_004C: callvirt  instance uint8[] [mscorlib]System.Security.Cryptography.DeriveBytes::GetBytes(int32)

            // IL_0051: stloc.0

            // IL_0052: ldloc.0

            // IL_0053: ret

        $s_resource = “3System.Resources.Tools.StronglyTypedResourceBuilder” ascii

        $s_import1 = “psapi.dll” ascii wide

        $s_import2 = “ncrypt.dll” ascii wide

    condition:

        uint16(0) == 0x5A4D and

        filesize < 5MB and

        all of them and

        #repeated_loop >= 6 and

        pe.timestamp == 1641825571 and

        pe.version_info[“OriginalFilename”] == “Frkmlkdkdubkznbkmcf.dll”

}

 

rule MAL_WhisperGate_Stage2_Loader

{

    meta:

        author = “”

        date = “”

        description = “Detect the WhisperGate stage 2 downloader based on download strings, embedded powershell commands, and code used to loop through the file system”

        version = “1.0”

        reference = “https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/”

        hash = “dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78”

        hash = “1d776e7fb062e153d3a62e1ebe1f2eec30ea13fa4b1b8749935f1856be4182d9”

         MALWARE = “WhisperGate”

         THREATACTOR = “DEV-0586”

         MALWARE_ID = “lStsKc”

         THREATACTOR_ID = “lStsKd”

    strings:

        $s1 = “DxownxloxadDxatxxax” wide

        $s2 = “https://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg” wide

        $s3 = “powershell” wide

        $s4 = “-enc UwB0AGEAcgB0AC” wide

        $s5 = “0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==” wide

        $s6 = “m_72682b0ae32c46c6ac429fca42a9cafd” ascii

        $s7 = “ConcatItem” ascii

        $s8 = “k4b57157f019944a3b5052820eba3a594” ascii

        $s9 = “ResetItem” ascii

        $s10 = “FlushItem” ascii

        $s11 = “<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}” ascii

        $call_delete_item = {45 0? 00 00 00 ?? 00 00 00 38 ?? 00 00 00 7E ?? 00 00 04 15 39 0? 00 00 00 38 0? 00 00 00 26 38 00 00 00 00 11 00 38 21 00 00 00 13 00 20 ?? ?? ?? 00 7E ?? ?? ?? 04 39 ?? ?? ?? FF 26 20 ?? ?? ?? 00 38 ?? ?? ?? FF 38 ?? ?? ?? FF 2A }

            // IL_0000: br                  IL_0017

            // IL_0005: ldloc         V_1

            // IL_0009: switch        (IL_0050)

            // IL_0012: br                  IL_0050

            // IL_0017: ldsfld        class WindowsFormsApp12.Properties.Settings WindowsFormsApp12.Properties.Settings::’\u0002′

            // IL_001C: ldc.i4.m1

            // IL_001D: brfalse   IL_0027

            // IL_0022: br                  IL_0034

            // IL_0027: pop

            // IL_0028: br                  IL_002D

            // IL_002D: ldloc.s   V_0

            // IL_002F: br                  IL_0055

            // IL_0034: stloc.s   V_0

            // IL_0036: ldc.i4        0

            // IL_003B: ldsfld        int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_8cca8faf24b940e59b2f8f934cadddc3

            // IL_0040: brfalse   IL_0009

            // IL_0045: pop

            // IL_0046: ldc.i4        0

            // IL_004B: br                  IL_0009

            // IL_0050: br                  IL_002D

        $flush_item = {38 ?? ?? ?? 00 20 ?? ?? ?? 59 20 ?? ?? ?? 00 62 20 ?? ?? ?? C1 61 80 ?? ?? ?? 04 20 ?? ?? ?? 00 38 ?? ?? ?? FF 20 ?? ?? ?? E2 20 ?? ?? ?? 83 61 20 ?? ?? ?? 61 61 80 ?? ?? ?? 04 20 ?? ?? ?? 00 38 ?? ?? ?? FF 20 ?? ?? ?? 8B 20 ?? ?? ?? 8C 61 20 ?? ?? ?? 07 61 80 ?? ?? ?? 04 20 ?? ?? ?? 00 28 ?? ?? ?? 06 39 ?? ?? ?? FF}

            // IL_0142: br                  IL_0BA5

            // IL_0147: ldc.i4        1497743769

            // IL_014C: ldc.i4        3

            // IL_0151: shl

            // IL_0152: ldc.i4        -1056498587

            // IL_0157: xor

            // IL_0158: stsfld        int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_8ac6c3d8f1e740a9aa7b54c9b9a43bb0

            // IL_015D: ldc.i4        21

            // IL_0162: br                  IL_0009

            // IL_0167: ldc.i4        -500256376

            // IL_016C: ldc.i4        -2084986125

            // IL_0171: xor

            // IL_0172: ldc.i4        1637290875

            // IL_0177: xor

            // IL_0178: stsfld        int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_ab46a928aaf648329f27607fea3fe251

            // IL_017D: ldc.i4        42

            // IL_0182: br                  IL_0009

            // IL_0187: ldc.i4        -1955513666

            // IL_018C: ldc.i4        -1944548225

            // IL_0191: xor

            // IL_0192: ldc.i4        124368577

            // IL_0197: xor

            // IL_0198: stsfld        int32 ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::m_b6818e5c954e47d2a048cf4934e48b6e

            // IL_019D: ldc.i4        0

            // IL_01A2: call            class ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’ ‘<Module>{89a366a7-2270-4665-8440-cb5a27ea74fd}’::FlushItem()

            // IL_01A7: brfalse   IL_0009

        $reflect_item = {00 FE 09 00 00 FE 09 01 00 28 19 00 00 0A 2A   }

            //IL_0000: nop

            //IL_0001: ldarg         0

            //IL_0005: ldarg         1

            //IL_0009: call            bool [mscorlib]System.String::op_Equality(string, string)

            //IL_000E: ret

  condition:

        uint16(0) == 0x5a4d and

        filesize < 300KB and

        10 of them

}

 

rule MAL_WhisperGate_Stage1_Wiper

{

    meta:

        author = “”

        date = “”

        description = “Detect the WhisperGate stage 1 wiper based on the fake ransom note, and code used to overwrite the MBR”

        version = “1.0”

        reference = “https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/”

        hash = “b50fb20396458aec55216cc9f5212162b3459bc769a38e050d4d8c22649888ae”

        hash = “a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92”

         MALWARE = “WhisperGate”

         THREATACTOR = “DEV-0586”

         MALWARE_ID = “lStsKc”

         THREATACTOR_ID = “lStsKd”

    strings:

        $target_mbr = “\\\\.\\PhysicalDrive0” wide

        $gcc1 = “GCC: (GNU) 6.3.0” ascii

        $gcc2 = “GCC: (MinGW.org GCC-6.3.0-1) 6.3.0” ascii

        $tox_addr = “8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65” ascii

        $bitcoin_addr = “1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv” ascii

        $cpuid_basic_info = { f7 c2 00 00 00 01 74 ?? 83 c8 08 55 89 e5 81 ec 00 02 00 00 83 e4 f0 0f ae 04 ?4 8b 9c ?4 c8 00 00 00 81 b4 ?? ?? ?? ?? ?? de c0 13 00 0f ae 0c ?4 89 9c ?? ?? ?? ?? ?? 0f ae 04 ?4 87 9c ?4 c8 00 00 00 0f ae 0c ?4 33 9c ?4 c8 00 00 00 c9 81 fb de c0 13 00  }

            //TEST             EDX,0x1000000

            //JZ                   LAB_004018cc

            //OR                   EAX,0x8

            //PUSH             EBP

            //MOV              EBP,ESP

            //SUB            ESP,0x200

            //AND            ESP,0xfffffff0

            //FXSAVE       [ESP]=>local_210

            //MOV            EBX,dword ptr [ESP + local_148]

            //XOR            dword ptr [ESP + local_148],0x13c0de

            //FXRSTOR      [ESP]=>local_210

            //MOV            dword ptr [ESP + local_148],EBX

            //FXSAVE       [ESP]=>local_210

            //XCHG         dword ptr [ESP + local_148],EBX

            //FXRSTOR      [ESP]=>local_210

            //XOR            EBX,dword ptr [ESP + local_148]

            //LEAVE

            //CMP            EBX,0x13c0de

        $overwrite_disk = { ff 71 fc 55 89 e5 57 56 51 e8 ?? ?? ?? ?? be 20 40 40 00 29 c4 8d b? ?? ?? ?? ?? e8 ?? ?? ?? ?? b9 00 08 00 00 f3 a5 c7 44 ?4 18 00 00 00 00 c7 44 ?4 14 00 00 00 00 c7 44 ?4 10 03 00 00 00 c7 44 ?4 0c 00 00 00 00 c7 44 ?4 08 03 00 00 00 c7 44 ?4 04 00 00 00 10 c7 04 ?4 64 70 40 00 e8 71 ff ff ff 89 c6 8d 8? ?? ?? ?? ?? 83 ec 1c 89 34 ?4 c7 44 ?4 10 00 00 00 00 c7 44 ?4 0c 00 00 00 00 c7 44 ?4 08 00 02 00 00 89 44 ?4 04 e8 ?? ?? ?? ?? 83 ec 14 89 34 }

            // PUSH         dword ptr [ECX + local_res0]

            // PUSH         EBP

            // MOV            EBP,ESP

            // PUSH         EDI

            // PUSH         ESI

            // PUSH         ECX

            // CALL         FUN_00401fe0                                                       uint FUN_00401fe0(undefined1 par

            // MOV            ESI,DAT_00404020                                                 = C88C00EBh

            // SUB            ESP,EAX

            // LEA            EDI=>local_2020,[EBP + 0xffffdfe8]

            // CALL         FUN_00401990                                                       undefined FUN_00401990(void)

            // MOV            ECX,0x800

            // MOVSD.REP  ES:EDI,ESI=>DAT_00404020                                     = C88C00EBh

            // MOV            dword ptr [ESP + 0x14],0x0

            // MOV            dword ptr [ESP + 0x10],0x3

            // MOV            dword ptr [ESP + 0xc],0x0

            // MOV            dword ptr [ESP + 0x8],0x3

            // MOV            dword ptr [ESP + 0x4],0x10000000

            // MOV            dword ptr [ESP],u_\\.\PhysicalDrive0_00407064      = u”\\\\.\\PhysicalDrive0″

            // CALL         CreateFileW                                                        HANDLE CreateFileW(LPCWSTR lpFil

            // MOV            ESI,EAX

            // LEA            EAX=>local_2020,[EBP + 0xffffdfe8]

            // SUB            ESP,0x1c

            // MOV            dword ptr [ESP],ESI

            // MOV            dword ptr [ESP + 0x10],0x0

            // MOV            dword ptr [ESP + 0xc],0x0

            // MOV            dword ptr [ESP + 0x8],0x200

            // MOV            dword ptr [ESP + 0x4],EAX

            // CALL         WriteFile                                                            BOOL WriteFile(HANDLE hFile, LPC

            // SUB            ESP,0x14

            // MOV            dword ptr [ESP],ESI

            // CALL         CloseHandle                                                        BOOL CloseHandle(HANDLE hObject)

    condition:

        uint16(0) == 0x5a4d and

        filesize < 300KB and

        all of them

}

 

 

Sources:

  1. RSM Internal sources
  2. https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
  3. https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html
  4. https://www.cisa.gov/shields-up
  5. https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-013a
  6. https://www.cisa.gov/uscert/ncas/alerts/aa22-011a
  7. https://www.cybersecurity-insiders.com/hacking-group-anonymous-declares-cyber-war-on-russia/
  8. https://twitter.com/y_advintel/status/1497293187798507525?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1497293187798507525%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fanonymous-hacktivists-ransomware-groups-get-involved-in-ukraine-russia-conflict%2F
  9. https://github.com/NorthwaveSecurity/complete_translation_leaked_chats_conti_ransomware

Whoarewe?

RSM Defense and our Unit26 security team brings decades of global cyber defense operations experience to your doorsteps. We entered this arena with an innovative cloud-native security solution that aims to stop cyber threats in whatever realm or vertical your business operates, including multi-cloud, third-party hosted, or remote deployments. If you have an existing security stack that is growing, RSM Defense and Unit26 can help manage, triage and respond to your cyber threats within that environment.

If your organization is looking for help with responding to the growing number of cyber threats, let’s get in touch and talk through how we can introduce you to the RSM Defense approach to obtaining a more secured cyber presence.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Joel Belton

Joel Belton is a military veteran with subject matter expertise in intelligence analysis involving strategic military exercise planning, satellite imagery and full motion video analytics, and actionable tactical operations for USSOCOM special operations. He graduated from Purdue University with a bachelor’s degree in electrical engineering technology with a discipline in radio frequency communication engineering. Joel’s passion for security is driven enhancing his skills in red team offensive security and blue team operations strategies in mitigating compromise.

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.