As the conflict in Eastern Europe continues, the Splunk Threat Research Team (STRT) is constantly monitoring new developments, especially those related to destructive software. As we have showcased in previous releases in relation to destructive software and HermeticWiper, malicious actors modify their TTPs in order to become more effective and achieve their objectives. In the case of HermeticWiper, we witnessed the introduction of new features since the increment of malicious cyber activity targeting Ukraine from last month.
We now have a new payload recently discovered by ESET named CaddyWiper, indicating no code sharing with previous malicious payloads during this campaign. There is one thing however that has been seen during the deployment of payloads, and that is the use of Group Policy Objects (GPOs).
Group Policy Objects are Microsoft Active Directory network policies that can be applied selectively to computers, organizational units, applications, and individual users. Splunk Security research has previously shown how to use GPOs to defend against Ransomware, as the selective and massive application of these settings helps streamline, enforce and harden security policies.
However, as we have witnessed, GPOs can be used to harm if malicious actors can compromise domain administrators. This new malicious payload, incorporates the following features:
- Domain Controller killswitch. If payload detects installation on a Domain Controller it stops its functions.
- If not in a Domain Controller it destroys users data “C:\Users” and subsequent mapped drives (this may include network mapped drives).
- If not in a Domain Controller it destroys drive partitions including boot partitions (\\.\PhysicalDrive9 to \\.\PhysicalDrive0)
The above new features indicate the intention of malicious actors to maintain access to Domain Controllers and deploy destructive software without the need to have to compromise and get access again if they were destroyed and had to be reinstalled. This approach is much more tactical and it also gives attackers the possibility to modify, re-apply, or enforce GPOs that can achieve the deployment of this destructive payload. Below is a breakdown of these features.
Domain Controller Kill Switch
This wiper will prepare the module name and API name string on the stack to dynamically parse it upon execution. Then it will execute DsRolePrimaryDomainInformation() API to retrieve the state data of the targeted host. If the state role of the computer is DsRole_RolePrimaryDomainController caddywiper will exit its process.
Overwriting Files with Zeroed Buffer
If the computer is not a Domain Controller it will start to do its payload. One of them is overwriting files in C:\users directory and from Drive D:\ until Drive Z:\.
If it finds a file that is not a folder and has a hidden system attribute, it will adjust the Security identifier permission of its process as well as its TokenPrivileges to “SeTokenOwnershipPrivilege” to be able to access those files.
After that checking, Caddywiper will initialize a zeroed buffer based on the file size of the file it found. If the file size is greater than 0xA00000, It will set the maximum zeroed buffer size to 0xA00000. That buffer will be used to overwrite the files and make them unrecoverable.
Wiping Boot Partitions
This payload will enumerate all possible boot sectors partitions from \\.\PhysicalDrive9 to \\.\PhysicalDrive0 to overwrite it with a zeroed buffer with size of 1920 bytes. The wiping was executed using DeviceIoControl IOCTL_DISK_SET_DRIVE_LAYOUT_EX.
This analytic is to look for suspicious raw access read to device disk partition of the host machine. This technique was seen in several attacks by adversaries or threat actor to wipe, encrypt or overwrite the boot sector of each partition as part of their impact payload for example the “hermeticwiper” malware.
This analytic is to look for suspicious raw access read to drive where the master boot record is placed. This technique was seen in several attacks by adversaries or threat actors to wipe, encrypt or overwrite the master boot record code as part of their impact payload.
Mitigate via GPO
As mentioned in this Threat Update GPOs can also be used defensively and the Splunk Security Research has previously shown how to apply them in a defensive manner. Here are some examples of GPO that can be applied to protect against destructive software attacks:
- Force logoff
- Remove Computer from Domain
- Disable password changes
- Disable access to network shares
- Enforce account lockout
- Prevent further download of payloads from the internet
- Apply firewall rules
- Prevent reboot of computers
The above GPO settings in combination with Splunk SOAR playbooks such as Ransomware Investigate and Contain may improve defenses and containment of these types of attacks.
The Cybersecurity & Infrastructure Security Agency (CISA) has provided numerous guidelines on how to prepare, defend and respond against destructive software attacks. The following links provide extensive information on the subject.
- Destructive Malware Targeting Organizations in Ukraine
- Understanding and Mitigating Russian State-Sponsored Cyber Threat to U.S Critical Infrastructure
- NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems
- Russia Cyber Threat Overview and Advisories
- Data Integrity: Detecting and Responding to Ransomware and other Destructive Events
- CISA and FBI publish advisory to protect organizations from destructive malware used in Ukraine
- Shields Up Technical Guidance
- CISA: Free Cybersecurity Services and Tools
- National Security Advisory (NSA) CSA Stop Malicious Cyber Activity Against Connected Operational Technology
Splunk Threat Research Related Resources
- Threat Advisory: STRT-TA02 - Destructive Software
- Active Directory Lateral Movement Detection: Threat Research Release, November 2021
- Hunting for Malicious PowerShell using Script Block Logging
- Conti Threat Research Update and Detections
- Detecting Trickbot with Splunk
- Data Exfiltration Detections: Threat Research Release, June 2021
- REvil Ransomware Threat Research Update and Detections
- Detecting Password Spraying Attacks: Threat Research Release May 2021
- DarkSide Ransomware: Splunk Threat Update and Detections
- Clop Ransomware Detection: Threat Research Release, April 2021
- Using Splunk Attack Range to Test and Detect Data Destruction (ATT&CK 1485)
- Cities Held Hostage: Fighting Ransomware with Analytics
- Monitor for, Investigate and Respond to Phishing Payloads with Splunk Enterprise Security Content Update
We would like to thank the following for their contributions to this post.
- Teoderick Contreras
- Rod Soto
- Jose Hernandez
- Patrick Barreiss
- Lou Stella
- Mauricio Velazco
- Michael Haag
- Bhavin Patel
- Eric McGinnis