Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs
March 1, 2022Rewterz Threat Alert – UNC1151 Phishing Campaign – Active IOCs – Russian-Ukrainian Cyber Warfare
March 1, 2022Rewterz Threat Alert – Cobalt Strike Malware – Active IOCs
March 1, 2022Rewterz Threat Alert – UNC1151 Phishing Campaign – Active IOCs – Russian-Ukrainian Cyber Warfare
March 1, 2022Severity
Medium
Analysis Summary
Trojan.Killdisk is a new disk-wiping malware recently discovered by security researchers. The wiper attacks are targeted towards Ukraine in support of the Russian invasion, and these signatures can also be seen in attacks in Lithuania. Targeted sectors are aviation, defense, IT services, and financial sector.
HermeticWiper (Trojan.Killdisk) is interestingly digitally signed by a certificate issued to Hermetica Digital Ltd (the origin of the name).
It contains 32-bit and 64-bit driver files which are compressed by the Lempel-Ziv algorithm stored in their resource section. The driver files are signed by a certificate issued to EaseUS Partition Master. The malware will drop the corresponding file according to the operating system (OS) version of the infected system. Driver file names are generated using the Process ID of the wiper. – Security Researchers
Upon execution, HermeticWiper will damage the MBR (Master Boot Record) of the victim’s system, which will render it inoperable. Organizations compromised using this wiper date back to November of 2021. A Microsoft SQL Server vulnerability was also used to attack organizations in Ukraine and along with the wiper, ransomware was also deployed against affected organizations.
CVE-2021-1636
Microsoft SQL Server could allow a remote authenticated attacker to gain elevated privileges on the system. An authenticated attacker could exploit this vulnerability to gain higher privilege access to the server.
Impact
- Data Loss
- File Encryption
- Financial Loss
Indicators of Compromise
MD5
- 3f4a16b29f2f0532b7ce3e7656799125
- 84ba0197920fd3e2b7dfa719fee09d2f
- d5d2c4ac6c724cd63b69ca054713e278
SHA-256
- 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
- 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
- 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
SHA-1
- 61b25d11392172e587d8da3045812a66c3385451
- 912342f1c840a42f6b74132f8a7c4ffe7d40fb77
- f32d791ec9e6385a91b45942c230f52aff1626df
Remediation
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner.
- 2FA – Enable two-factor authentication.
- Patch – Patch and upgrade any platforms and software timely. Prioritize patching known exploited vulnerabilities.
- WAF – Set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
- not publicly accessible.
- Passwords – Implement strong passwords.
- Logging – Log your eCommerce environment’s network activity and web server activity.