Hack on Sony with Malware takes out the network for 1 week - Destructive Malware
Dropper – prepares and then ends tasks by adding another type of malware to finish for the kill. This is why we often see more than one variant. Malware acts as a team of attackers which serve different functions for an overall agenda/goal.
“The Destover droppers install and run EldoS RawDisk drivers
to evade NTFS security permissions and overwrite disk data and the MBR itself. “
The complied on date for the malware was 4-5 hours before
deployment so Phishing is ruled out and more then likely its done through
embedding into images on high traffic websites.
"The Destover droppers install and run EldoS
RawDisk drivers to evade NTFS security permissions and overwrite disk data and
the MBR itself. There are implications for data recovery in this. In the case
of theDarkSeoul malware, the
overwritten data could be restored using a method similar to the restoration of
the Shamoon 'destroyed' data. Destover data recovery is likely to be the same.
The chain of intermediary components
leading to the destructive payload follows multiple stages (which have
previously been described elsewhere), with capabilities set to run in several
modes, just likeShamoon:
1.
The sample is run on a 32-bit OS for the first time.
2.
The sample is run on a 32-bit OS as a self-installed service,
with one of several code paths.
3.
The sample is run on a 64-bit OS as a self-installed service.
On a first run, it creates the 'Backup and
Restore Management' Windows brmgmtsvc service, adds its own executable and sets
a startup '-i' switch. It also drops several copies of itself and starts
each of them with a different switch: -m, -d, and -w.
-m (mbr overwrite):
This attempts to connect with the three IP addresses. Even if this is unsuccessful, process execution takes place.
It fetches its resource that contains the compressed EldoS RawDisk driver, and writes it out to the temp directory as a 'usbdrv3.sys'.
It then installs the driver as the usbdrv3 service 'USB 3.0 Host Controller'.
After this, it starts the driver service and closes its service handle.
It then creates a filehandle to the driver with write permissions:
'\\?\ElRawDisk\??\\PhysicalDrive0#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F'
and writes to that handle with 64k strings of '0xAAAAAAAA'. ← note that the issue of a lengthy license key (#99E2428…) is discussed in our Shamoon The Wiper - part ii blogpost.
It then creates new threads, each of which attempts to connect to any possible physical drive letter and overwrite them as well.
This attempts to connect with the three IP addresses. Even if this is unsuccessful, process execution takes place.
It fetches its resource that contains the compressed EldoS RawDisk driver, and writes it out to the temp directory as a 'usbdrv3.sys'.
It then installs the driver as the usbdrv3 service 'USB 3.0 Host Controller'.
After this, it starts the driver service and closes its service handle.
It then creates a filehandle to the driver with write permissions:
'\\?\ElRawDisk\??\\PhysicalDrive0#99E2428CCA4309C68AAF8C616EF3306582A64513E55C786A864BC83DAFE0C78585B692047273B0E55275102C664C5217E76B8E67F35FCE385E4328EE1AD139EA6AA26345C4F93000DBBC7EF1579D4F'
and writes to that handle with 64k strings of '0xAAAAAAAA'. ← note that the issue of a lengthy license key (#99E2428…) is discussed in our Shamoon The Wiper - part ii blogpost.
It then creates new threads, each of which attempts to connect to any possible physical drive letter and overwrite them as well.
-d (data overwrite):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It gets the logical drives and traverses recursively through them, identifying all data files. If it is not .exe or .dll, the process overwrites file contents with '0x0df0adba' in a 20k chunk. This overwrite is completed from user mode, without the EldoS drivers.
It then attempts to delete the data file using the win32 api 'DeleteFileW'. As it recurses through all the system's directories, it attempts to delete .exe and .dll files.
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It gets the logical drives and traverses recursively through them, identifying all data files. If it is not .exe or .dll, the process overwrites file contents with '0x0df0adba' in a 20k chunk. This overwrite is completed from user mode, without the EldoS drivers.
It then attempts to delete the data file using the win32 api 'DeleteFileW'. As it recurses through all the system's directories, it attempts to delete .exe and .dll files.
-w (web server):
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It stops the Windows Terminal Services from the cmd line: 'cmd.exe /c net stop termservice /y'
Then finds resource#85, decompresses and writes contents out to 'c:\windows\iissvr.exe'.
It launches the iissvr.exe process and exits.
iissvr is what it seems to be - a web server that maintains an encoded JPG, HTML and WAV file. It listens on Port 80 and serves these files. The full graphic and scrolling green warning can be found later in the article.
This attempts to connect with the same three IP addresses. Again, process execution takes place regardless of communications.
It stops the Windows Terminal Services from the cmd line: 'cmd.exe /c net stop termservice /y'
Then finds resource#85, decompresses and writes contents out to 'c:\windows\iissvr.exe'.
It launches the iissvr.exe process and exits.
iissvr is what it seems to be - a web server that maintains an encoded JPG, HTML and WAV file. It listens on Port 80 and serves these files. The full graphic and scrolling green warning can be found later in the article.
Lastly, after a two hour
sleep, the original service restarts the machine with a call to
ExitWindowsEx(EWX_REBOOT|EWX_FORCE, 0). This forces an exit but
delays the shutdown itself while system state file creation occurs."
I have edited this content and
made it shorter so we can understand just the important items.
Comments
Post a Comment