Since relations between Ukraine and Russia became sour following the Revolution of Dignity in 2014, organizations throughout Ukraine have been subject to recurring cyber-attacks. These attacks, often allegedly sponsored by the Russian government or pro-Russian entities, have been wreaking havoc on the Ukrainian economy and infrastructure. Unarguably, one of the most common forms of cyber threats faced by Ukraine has been malware, custom delivered to avoid safeguards.
The types of attacks against Ukraine have created immense tension within the population and helped Russia further its cause of keeping western nations away from its borders. However, these attacks have successfully inspired several threat actors to deploy these tactics in other parts of the world. The latest in the game is a wiper malware dubbed Trojan.Killdesk by Symantec. As per a blog post by Symantec, the malware was used to attack Ukrainian organizations shortly before Russia began its invasion of the country.
Understanding the wiper
The wiper malware was used to target specific organizations in the country to disrupt the government's efforts and the economic landscape of the country in order to divert its effort from the front line. The malware is used to wipe data from hard drives often by corrupting the master boot record (MBR), file systems, and partitions on physical drives used with Windows machines.
The context
On the 23rd of February, 2022 the malware was discovered in Ukrainian systems, attacking hard drives containing key data. The malware was using raw disk access to wipe data from physical drives.
Modus operandi:
1. The malware is capable of giving itself privileges to shut down and restart the system to successfully attack the drives. It uses the AdjustTokenPrivileges API to get SeShutdownPrivilege, SeBackupPrivilege, and SeLoadDriverPrivilege.
2. The malware then uses the IsWor64Process function to determine a driver version to load based on the version of the system being attacked. Upon execution of the function, the malware loads several drivers onto the system in the binary section after compressing them using the Lempel-Ziv algorithm and named with a randomly generated 4-character. The loaded file is decompressed after this using the LZCopy function onto a new file that has a “.sys” extension.
3. The malware uses the CreateServiceW API to load the driver on the system and loads the driver with the same 4-character name used for the driver file.
4. The malware then calls the StartServiceW API in a loop 5 times to successfully load the driver. Once the driver is loaded, the registry key is deleted to remove the service.
5. After loading the driver, the malware uses the Control Service Manager to disable the VSS service on the system. This is followed by the creation of the following threads:
- A thread to control system reboot
- A thread to disable UI features that could possibly alert the user of suspicious activity
6. The malware uses multiple threats to overwrite the hard drives and destroy partitions. The malware renders the system useless and when the system is rebooted it reads “Missing OS.”
How BluSapphire handled the threat
BluSapphire helps secure organizational data with the help of its arsenal of advanced tools and practices to predict and prevent attacks through a state-of-the-art detection and alerting system. BluSapphire Elite’s use of AI and ML helped it detect suspicious activity through its dynamic assessment and understanding of user behavior.
The BluSapphire Elite solution uses multiple indicators of compromise in a system to report anomalies. Through its advanced approach and an agentless platform, the solution is able to detect and neutralize threats before they can deal any damage to the system.
Monitoring
The BluSapphire platform uses proactive threat hunting to constantly keep an eye on the system without the requirement of a human agent keeping an eye on the system to detect oncoming threats. Further, the platform uses advanced UEBA, next-gen SIEM, and threat intelligence to keep a record of all events that transpire within a system at all times.
Detection
When perpetrators attempt to breach the system or install unauthorized files, the Elite platform automatically detects such anomalies based on past user behavior. Further, its SIEM capabilities use such events to create logs and alerts in order to help organizations realize that a threat actor is attempting to breach the system.
The malware, which uses a series of drivers and files to wipe data on the target system, is detected by the BluSapphire platform as soon as any unusual installations are detected within the system. Further, since the malware requires privileges to execute its wiping function, the Elite platform detects unauthorized user behavior when the privileges are exchanged with the malware and raises an alert.
Reporting
The platform ensures that the organization is able to act on the threat in due time. Since even the smallest of delays in dealing with a cybersecurity issue can wreak havoc on a system, the Elite platform ensures that as soon as an anomaly is detected within the system, the cybersecurity team at an organization is alerted.
A primary concern, however, is the case of false alarms in such an environment which can often drown out key information. The platform circumvents this by using AI and ML, and working with evolving models that help it identify true threats with high accuracy.
Key Outcomes with BluSapphire Elite
- The BluSapphire Elite platform helps organizations converge multiple data sources and helps improve visibility across the network, system, infrastructure, and more. Further, it leverages analytics to provide a holistic view of the entire cybersecurity ecosystem of the organization through a single platform.
- The platform allows organizations to detect and act on threats almost instantly, generally under 3 minutes from attempt even for the most advanced of attacks.
- The AI and ML capabilities of the platform help organizations eliminate human error from the system and improve accuracy in detection and response. This further enables quicker action and remediation of the threat.
For more details about the platform, visit the BluSapphire Elite solution page.