Discover and read the best of Twitter Threads about #industroyer2

Most recents (3)

On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9
@_CERT_UA Its authors make multiple references to Monsters, Inc., the 2001 movie by Pixar. The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. 2/9
@_CERT_UA The executable file is also named Sullivan.<version?>.exe and references are present in the code as well. 3/9
Read 9 tweets
We have become aware of a large #ICS/#SCADA malware project apparently conducted under a state contract on behalf of the Russian General Staff Main Intelligence Directorate (#GRU), Main Centre for Special Technologies (#GTsST), military unit 74455.
This military unit also known as #Sandworm is located at the GRU Ulitsa Kirova facility in the Khimki suburb of Moscow. In the past Sandworm has targeted ICS/SCADA, one of the most renowned being the #INDUSTROYER2 hacking attempt of a Ukrainian electrical substation in April 22.
The ongoing project is to cost more than 100 million rubles across three phases and undertaken by several technical defense contractors.
Read 5 tweets
#BREAKING #Sandworm continues attacks in Ukraine 🇺🇦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware
@_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6 Image
The #Industroyer2 attacks used a patched version of @HexRaysSA IDA Pro’s remote debug server (win32_remote.exe). It was modified to include code to decrypt and run #CaddyWiper from an external file. 2/6 ImageImage
This time, #Sandworm chose an official @ESET executable to hide #ArguePatch. It was stripped of its digital signature and code was overwritten in a function called during the MSVC runtime initialization. 3/6 ImageImage
Read 6 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!