Process Injection - File Corrupter Malware vbs file drop in the%temp% folder will add C:\ drive to the exclusion path of Windows Defender. ‘C:\ProgramData\Microsoft\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\sc.exe” /WindowState 0 /CommandLine “stop WinDefend” /StartDirectory “” /RunAs 8 /Run The screenshot below shows how “Advacedrun.exe (Nirsoft Tool) was used to disable WinDefender service and remove or delete Windows Defender directory in Programdata folder. ![]() Evading Windows Defender AVĪs soon as the stage3 executes, it will drop advancedrun.exe and a vbscript in %temp% folder to evade Windows Defender AV. net compile malware that will load its resource data to decrypt it, which is the advancedrun.exe and the file corrupter malware. Stage 3: Defense Evasion and Process Injection (File Corrupter) Below is the screenshot of how it downloads the stage 3 malware in the discord server. By using a simple python script you can reverse it to make it a valid PE executable. net compiled malware which is the stage 3 that is in reverse form. Powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA=Īfter the sleep, Stage 2 will try to download a “.jpg” file in the discord server. The screenshot below shows the code it runs twice to sleep for 20 sec. The evasion is achieved by running a base64 encoded powershell that will delay its execution. This stage 2 malware contains a possible defense evasion that might bypass AV detection technology like emulation or even sandbox testing that monitors process behavior in a period of time (let say less than 20 sec.). Stage2: Discord Downloader Delay Of Execution The screenshot below shows a code snippet to overwrite the MBR with the malicious master boot record code containing the ransom note. This wiper will try to overwrite or replace the original MBR with the destructive MBR code. This wiper malware contains code that affects the Master Boot Record (MBR) sector of the compromised host. “WhisperGate” Indicators And Analysis: Stage 1: MBR Wiper Ransomware is by itself a destructive payload, however, some past campaigns have shown the use of multiple payloads some of them with Ransomware characteristics used as decoys, and others with the same Ransomware characteristics, however, they execute destructive payloads at targeted organizations (i.e Hard disk erasure). Further on, this data may help understand the extent and the TTPs of current and future campaigns where these payloads may be in use. We break down the different components and functions of how this payload works and provide a series of detections to mitigate and defend against this threat.Īlthough we cannot prevent patient 0, we can, however, measure and recover execution artifacts which if used timely and operationalized as analytics and playbooks can provide analysts a tool to isolate, contain and prevent further damage. The Attack: The focus of this threat advisory is on a recently reported destructive payload by Microsoft MSTIC under the name of WhisperGate. If recent Ransomware campaigns are an indication of the effects malicious campaigns against healthcare, technology, food supply, and gas supply can have in real life (Colonial pipeline outage affected 45% of U.S East Coast fuel supply), then destructive payloads whose sole use is to render hosts unusable should be considered a possibility under the current geopolitical indicators. These destructive payloads aim to disable targeted hosts beyond recovery and seek to disrupt, deny, and degrade an organization’s technology and services, especially Operational Technology which is the software and hardware directly related to the monitoring and operation of industrial systems (i.e Utilities such as telecommunications, electricity, water, gas, etc). Based on historical data of named geopolitical actors, the use of destructive payloads has been observed in past campaigns. The Splunk Threat Research Team is monitoring open channel intelligence and government alerts indicating the possibility of malicious campaigns using destructive software in relation to ongoing geopolitical events.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |