Share this page!

J. A. Guerrero-Saade Profile picture
Twitter logo
Mar 31 10 tweets 5 min read
We've had 6 wipers in the wake of the Ukraine invasion but the biggest elephant in the room has been the infamous 'satellite modem hack'. Despite statements saying there was no malware involved, we believe it was the work of a 7th wiper– AcidRain
AcidRain is a 32-bit MIPS ELF wiper uploaded to VT from Italy on March 15th with the name 'ukrop'. It's a more generic wiper in that it attempts to bruteforce device file names and wipe any and all, and can be reused for a future op.
Interestingly, there are two wiping mechanisms. The first copies from an array of 4-byte integers starting at 0xffffffff, decrementing at each index.
If you're wondering what that might look like...
The second is through a combination of IOCTLs, MEMGETINFO, MEMUNLOCK, MEMERASE, MEMWRITEOOB.
As we consider who may have developed AcidRain, it's interesting to note that the same IOCTLs combo was used in a VPNFilter stage 3 plugin, called 'dstr'.
We posit that there are noteworthy developmental traits connecting this VPNFilter plugin and AcidRain but do our best not to overhype that idea. It's a hypothesis in need of stress testing and we invite the research community to take a look and share their findings.
I imagine more details will come from @ViasatInc in the future. Perhaps they'll share the actual findings from their excellent incident responders. I'm afraid their statement was so vague as to become unwittingly inaccurate (a charitable interpretation, perhaps).
Massive recognition to @maxpl0it who nailed the reversing, @TomHegel, @philofishal, and the whole @LabsSentinel team, as well as all of the researchers that silently contributed with no hope of glory.

For more on AcidRain– #HappyHunting and #SlavaUkraini
s1.ai/acidrain
@maxpl0it @TomHegel @philofishal @LabsSentinel @ViasatInc has confirmed the involvement of AcidRain :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with J. A. Guerrero-Saade

J. A. Guerrero-Saade Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @juanandres_gs

J. A. Guerrero-Saade Profile picture
Mar 29
A @KimZetter two-parter on Intrusion Truth and outing Chinese APT operators! Interesting to see open speculation and RUMINT around the industry codified alongside IntrusionTruth's own spokespeople.
zetter.substack.com/p/unmasking-ch…
@KimZetter And the interview itself:
zetter.substack.com/p/interview-wi…
I wonder.. does anyone use the term "cyber hacking" other than the feds?
Read 4 tweets
J. A. Guerrero-Saade Profile picture
Feb 26
Beware whatever is happening with this bizarre op. Reporters from @business @motherboard and @TheRecord_Media received emails impersonating me and pointing to an 'Anonymous Liberland' / 'Pwn-Bar Hack Team' onion site. 🧵
You can read the email here. It's actually pretty funny.
Seriously debating changing my email signature to "Glory to Ukraine and Fuck Putin" at this point.
Looking at the site, the logistics of the op aren't very well thought out (assuming the intent is to push this Tetraedr leak) as the main leak is 150GB and the 'sample' is 955mbs, only downloadable via Tor. So see you in 10 days?
Read 6 tweets
J. A. Guerrero-Saade Profile picture
Feb 24
Day2, hopefully briefer and less hectic. Our friends at Symantec have published a great blog with way more detail about the attack chain and additional IOCs, including a decoy ransomware–
The 'ransomware' (4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382) is written in Go and C and has some interesting quirks and taunting–
Despite a ton of standard Go functions (as is usually the case), all we really want to focus on are the main and Cgo functions.
Read 15 tweets
J. A. Guerrero-Saade Profile picture
Feb 23
Looking into new #wiper malware in #Ukraine#EarlyTriage
Pretty small piece of code, all things considered. Image
The file is digitally signed, presumably with a stolen certificate though I don't see other files signed with this yet. Image
Read 28 tweets
J. A. Guerrero-Saade Profile picture
Nov 26, 2021
@1njection I agree with your general sentiment but in the interest of pedantry—
-Regin is your main 4 Eyes APT
-Equation group is (sort of) your missing eye
-Lamberts/‘Longhorn’ == CIA
And then there’s a few presumably western outliers that haven’t been attributed (ex: ProjectSauron)
@1njection Some resources for the missing nuance in my reply—
epicturla.com/previous-works…
epicturla.com/previous-works…
And for one of the few instances of regin+equation code together itw—
epicturla.com/previous-works…
@1njection To your larger point, you’ll notice that there’s very little follow up on any of these. There’s a complex calculus in the EDR/AV industry on whether to report on ‘friendly’ ops. I understand if they choose not to publish reports but imo intentionally not *detecting* is fraud.
Read 6 tweets
J. A. Guerrero-Saade Profile picture
Oct 26, 2021
Ok friends, you know it's a wonderful day when you get woken up by @Bing_Chris on madness in Iran. If you haven't seen what's going on, another trollish attack played out today with gas stations in Iran not being able to dispense gas #64411
Screens on the gas pump PoS systems say 'cyberattack, 64411' in Farsi. For avid readers, this should be a throwback to the Iranian railway systems attack in July where the attackers also directed calls to 64411, the Office of Iran's Supreme Leader, Ali Khamenei' #MeteorExpress
We were able to reconstruct the attack chain used in the Iranian railway system, a combination of well-written crafty batch scripts + an externally configurable wiper called 'Meteor'. That led us to calling this group MeteorExpress.
s1.ai/meteor
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @juanandres_gs has new unrolls!

Check out other threads from @juanandres_gs!

Read all threads by @juanandres_gs

:(