Share this page!

J. A. Guerrero-Saade Profile picture
Twitter logo
Feb 23 28 tweets 11 min read
Looking into new #wiper malware in #Ukraine#EarlyTriage
Pretty small piece of code, all things considered. Image
The file is digitally signed, presumably with a stolen certificate though I don't see other files signed with this yet. Image
Early on it calls a common named pipe– \\EPMNTDRV\ Image
Likely abusing legitimate drivers, saved as resources in the file. Pulling those now. Image
RCDATA_DRV_X64 a952e288a1ead66490b3275a807f52e5
RCDATA_DRV_X86 231b3385ac17e41c5bb1b1fcb59599c4
RCDATA_DRV_XP_X64 095a1678021b034903c85dd5acb447ad
RCDATA_DRV_XP_X86 eb845b7a16ed82bd248e395d9852f467
Btw, same UA submitter uploaded another file with similar name. guessing encrypted something–
virustotal.com/gui/file/8aaf5…
I defer to @silascutler who is ahead of me on reversing :)
@silascutler Resources are ms compressed. Before I have to bang my head against a wall, @silascutler comes in with the save :)
@silascutler The drivers are multiple bitness versions of EaseUS Partition Master Image
Our friends at @ESETresearch with added context vvv
Looks like ESET has another sample not yet on VT–
912342F1C840A42F6B74132F8A7C4FFE7D40FB77
Oh man... here's some context–
Guessing this is the victim according to that DI_Ukraine tweet Image
A very surface comment on the functioning malware– abusing a legitimate driver for wiping is a classic from Lazarus Destover and Shamoon, but this is a different driver. Don't draw attribution conclusions from that, more of a shared TTP to get past permission issues.
Redundant loading drivers based on OS version info and bitness (GetLastError != ERROR_OLD_WIN_VERSION, I think) Image
Modifying CrashControl regkey, CrashDumpEnabled key to 0
docs.microsoft.com/en-us/windows/… Image
Btw, regarding that victim tweet above (Titan)– it's speculation. Running with scissors here. Sounds like @ESETresearch might know some victim orgs though :)

Aaaand my hotspot dropped. Working on it
We are back!

Enumerating PhysicalDrives up to 100... Image
Looks like it's opening the beginning of those drives and doing some crypto there. Tbh, it's beyond my quick analysis abilities – anyone looking at 0x401EEA ? Image
Wow.. they're being thorough.. Image
I have to admit that there's a surprising amount of thorough cleanup after this. Any chance this is a cleanup op more than just a wiper? Image
Ok.. this isn't a bullshit wiper like the last time.

This thing is meant to be devastating. Image
If you're wondering how this is happening...
Ok, folks, we're clearly missing the *MOST* important part of all of this. Seeing as neither @threatintel nor @ESETresearch have named this monster, let's call this #HermeticWiper
@threatintel @ESETresearch Oh my god, you guys... the embedded icon.. is a gift box with a bow... #NoBullshit #HermeticWiper Image
@threatintel @ESETresearch As @JusticeRage @NateBeachW @CYINT_dude and @MigoKed pointed out to me, this icon is relatively common (actually 40K samples in VT w it). So let's just take it as a fun quirk.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with J. A. Guerrero-Saade

J. A. Guerrero-Saade Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @juanandres_gs

J. A. Guerrero-Saade Profile picture
Feb 24
Day2, hopefully briefer and less hectic. Our friends at Symantec have published a great blog with way more detail about the attack chain and additional IOCs, including a decoy ransomware–
The 'ransomware' (4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382) is written in Go and C and has some interesting quirks and taunting–
Despite a ton of standard Go functions (as is usually the case), all we really want to focus on are the main and Cgo functions. Image
Read 13 tweets
J. A. Guerrero-Saade Profile picture
Nov 26, 2021
@1njection I agree with your general sentiment but in the interest of pedantry—
-Regin is your main 4 Eyes APT
-Equation group is (sort of) your missing eye
-Lamberts/‘Longhorn’ == CIA
And then there’s a few presumably western outliers that haven’t been attributed (ex: ProjectSauron)
@1njection Some resources for the missing nuance in my reply—
epicturla.com/previous-works…
epicturla.com/previous-works…
And for one of the few instances of regin+equation code together itw—
epicturla.com/previous-works…
@1njection To your larger point, you’ll notice that there’s very little follow up on any of these. There’s a complex calculus in the EDR/AV industry on whether to report on ‘friendly’ ops. I understand if they choose not to publish reports but imo intentionally not *detecting* is fraud.
Read 6 tweets
J. A. Guerrero-Saade Profile picture
Oct 26, 2021
Ok friends, you know it's a wonderful day when you get woken up by @Bing_Chris on madness in Iran. If you haven't seen what's going on, another trollish attack played out today with gas stations in Iran not being able to dispense gas #64411
Screens on the gas pump PoS systems say 'cyberattack, 64411' in Farsi. For avid readers, this should be a throwback to the Iranian railway systems attack in July where the attackers also directed calls to 64411, the Office of Iran's Supreme Leader, Ali Khamenei' #MeteorExpress
We were able to reconstruct the attack chain used in the Iranian railway system, a combination of well-written crafty batch scripts + an externally configurable wiper called 'Meteor'. That led us to calling this group MeteorExpress.
s1.ai/meteor
Read 16 tweets
J. A. Guerrero-Saade Profile picture
Oct 15, 2021
Tbh, when I tweeted out the story about VPNs getting consolidated under a shady company with a reputation for malware/adware distribution, I didn't expect that it would get that big of a response. Since folks are interested, I wanted to discuss my biggest issue w this... #Thread
Sure, shady monetization schemes w ads are the bulk of the business model but it doesn't take into account the targeted espionage concern. Ad networks are fantastically positioned to profile internet users to an impressive level of granularity but they're limited–
For a determined adversary with control or influence over an ad network, you might have access to selectively injecting iframes or malicious ads in the hopes of hitting that one precious target. But a VPN introduces a much smoother avenue of attack.
Read 12 tweets
J. A. Guerrero-Saade Profile picture
Oct 2, 2021
It's awesome to see analysis of Lamberts and Equation Group tools. They're some of the most noteworthy findings in the short history of Cyber Threat Intelligence and we're doing a disservice by collectively ignoring their existence. Great work @runasand and @patrickwardle!
If you missed it, I'm sure the video will be up in the near future. In the meantime, here's Runa's blog on Green Lambert OS X
objective-see.com/blog/blog_0x68…
For additional (non-MacOS) background, here's an overview of the color-coded constellation of the Lambert's toolkit up to a point–
securelist.com/unraveling-the…
Read 7 tweets
J. A. Guerrero-Saade Profile picture
Aug 24, 2021
There are three things you don't want to see made– laws, sausages, and threat intelligence.

Frankly, I'm bummed out at the framing of this issue. It adds fuel to the air-quote 'privacy' debate that keeps eating away at our ability to do security research, as in the case of GDPR.
I've played with Augury before. Netflow can be useful. But for the most part it's spotty, incomplete, and inconclusive. You don't turn into a SIGINT agency because you have visibility into a few hops along a path for a sliver of time. Internet routing doesn't work that way.
You're seeing points connecting to other points at a given time. If the connection is routed a different way, if it takes a hop you don't have access to, if any number of factors changes the connective tissue of the internet, you don't see anything.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @juanandres_gs has new unrolls!

Check out other threads from @juanandres_gs!

Read all threads by @juanandres_gs

:(