ESET and Broadcom’s Symantec have found a new data wiper malware in the recent attacks against hundreds of workstations in Ukraine. In the hours leading up to the invasion, Russia deployed destructive malware against Ukraine and neighbouring nations. Attackers used Trojan.Killdisk, a type of disk-wiping virus, to assault Ukrainian companies on February 24.
On Wednesday afternoon, the onslaught began. “The situation is consistent with recent DDoS attempts,” NetBlocks, an internet connectivity business, tweeted about the outages last week. DDoS (distributed denial of service) attacks take down a website by flooding it with numerous requests until it fails.
Attack Process
In a series of tweets, ESET stated, “The wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd.” “To corrupt data, the wiper exploits genuine drivers from the EaseUS Partition Master software. The wiper then reboots the computer as the last step.”
The attacker distributed Trojan.Killdisk as an executable file signed by a certificate supplied by Hermetica Digital Ltd. It includes driver files for both 32-bit and 64-bit operating systems. Moreover, it utilises the Lempel-Ziv algorithm stored in the resource section to compress the driver files.
Furthermore, it uses a certificate given to EaseUS Partition Master to sign the driver files. Thereafter, according to the operating system (OS) version of the infected system, the malware will drop the appropriate file. It uses the process ID of the wiper to construct driver file names. When executed, the wiper damages the infected computer’s Master Boot Record (MBR), rendering it inoperable.
In a report, SentinelOne’s lead threat analyst Juan Andres Guerrero-Saade remarked, “After a week of defacements and growing DDoS attacks, the proliferation of sabotage operations through wiper malware is an expected and regretful escalation.”
Past Attack Reports
According to early indications, the attacks may have been planned for some time. Initial evidences suggest that harmful behaviour may have started as early as November 2021.
In an attack against one organisation in Ukraine on December 23, the attackers gained access to the network. They used a malicious SMB activity against a Microsoft Exchange Server to do this. Theft of credentials quickly followed this.
Recently, several Ukrainian banks’ and government organisations’ websites went unreachable on February 23. Before the wiper was deployed on February 23, the attackers implemented a web shell on January 16.
Symantec began noticing the execution of the file ‘postgresql.exe’ and used it to conduct command activities on February 22. These included using certutil to check connectivity to trustsecpro[.]com and whatismyip[.]com. It also involved using PowerShell to download another JPEG file from a hacked web server. Following this, it used PowerShell to dump the hacked machine’s credentials. After that, it executed several PowerShell scripts, which concluded with the deployment of the wiper malware.
Other forms of attacks
To breach at least one of the targeted organisations, the attackers appear to have used a known vulnerability in Microsoft SQL Server.
The attack also involved the distribution of ransomware against targeted firms at the same time as the wiper in several instances. The attackers distributed ransomware using scheduled processes, just like the wiper. Client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe were among the ransomware’s file names.
The attackers most likely used ransomware as a ruse or distraction from the wiper operations. This is comparable to the past wiper operations against Ukraine (WhisperGate), where the wiper was disguised as ransomware.
Last week, a DDoS attack from unknown perpetrators caused disruptions at two of Ukraine’s largest banks, PrivatBank and Oschadbank. The attack also targeted the Ukrainian Ministry of Defense and Armed Forces’ websites.
Endnote
The scope and impact of the data-wiping attacks and the identity of the threat actor behind the infections are still unclear. These cyber-attacks are the most sophisticated and constitute the third wave of attacks against Ukraine this year.
IOCs
- 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 – Trojan.Killdisk
- 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da – Trojan.Killdisk
- a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e – Trojan.Killdisk
- 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 – Ransomware
