{
	"id": "e28b2275-1283-45d1-8493-007a674dbf26",
	"created_at": "2026-04-06T00:08:39.727901Z",
	"updated_at": "2026-04-10T03:30:33.524935Z",
	"deleted_at": null,
	"sha1_hash": "1bc3116477053320d8ff7afe140245f5c6ee39c4",
	"title": "Targeted Destructive Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 94505,
	"plain_text": "Targeted Destructive Malware | CISA\r\nPublished: 2020-01-03 · Archived: 2026-04-05 19:05:30 UTC\r\nSystems Affected\r\nMicrosoft Windows\r\nOverview\r\nUS-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm\r\nTool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is\r\nequipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target\r\nCleaning Tool.\r\nSMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects\r\nhome every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to\r\nother Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main\r\nthreads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread\r\nattempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is\r\ncopied and run on the newly-infected host.\r\nListening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from\r\nthe phrase \"National Football League.\" Additionally, this implant listens for connections on TCP port 195 (for \"sensvc.exe\"\r\nand \"msensvc.exe\") and TCP port 444 (for \"netcfg.dll\"). Each message sent to and from this implant is preceded with its\r\nlength, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, \"HTTP/1.1 GET /dns?\r\n\\x00.\" The controller then responds with the string \"200 www.yahoo.com!\\x00\" (for \"sensvc.exe\" and \"msensvc.exe\") or\r\nwith the string \"RESPONSE 200 OK!!\" (for \"netcfg.dll\"). The controller sends the byte \"!\" (0x21) to end the network\r\nconnection. This special message is not preceded with a length or XOR encoded.\r\nLightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as file\r\ntransfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform\r\narbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a\r\nvictim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway\r\ndevices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT)\r\nprivate networks. There are no callback domains associated with this malware since connections are inbound only on a\r\nspecified port number.\r\nProxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to\r\nlisten on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This\r\nproxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands,\r\nperform directory listings, perform process listings, and transfer files.\r\nDestructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of\r\nrecovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the\r\nhost, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot\r\nrecord (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the\r\nvictim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7\r\noperating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until\r\nafter reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific\r\nfiles being deleted and practically irrecoverable, but the victim machine would remain usable.\r\nDestructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The\r\ntool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the\r\ndestructive components, and an encoded command file that contains the actual destruction commands to be executed.\r\nNetwork Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows\r\nshares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems,\r\nthe malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these\r\nremote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking\r\nfor existing shares via “\\\\hostname\\admin$\\system32” and “\\\\hostname\\shared$\\system32” or create a new share “cmd.exe\r\n/q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the\r\nwiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process.\r\nThe remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass\r\nPROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards,\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 1 of 16\n\nthe remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the\r\nmalware reports its status back to one of the four C2 IP addresses.\r\nTechnical and strategic mitigation recommendations are included in the Solution section below.\r\nUS-CERT recommends reviewing the Security Tip Handling Destructive Malware #ST13-003.\r\nCyber threat actors are using an SMB worm to conduct cyber exploitation activities.  This tool contains five components – a\r\nlistening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.\r\nThe SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a C2\r\ninfrastructure.\r\nImpact\r\nDue to the highly destructive functionality of this malware, an organization infected could experience operational impacts\r\nincluding loss of intellectual property and disruption of critical systems.\r\nSolution\r\nUsers and administrators are recommended to take the following preventive measures to protect their computer networks:\r\nUse and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most\r\nknown viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for\r\nmore information).\r\nKeep your operating system and application software up-to-date – Install software patches so that attackers can't take\r\nadvantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is\r\navailable, you should enable it (see Understanding Patches for more information).\r\nReview Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing\r\nplanning, preparation, detection, and response for such an event.\r\nReview Recommended Practices for Control Systems, and Improving Industrial Control Systems Cybersecurity with\r\nDefense-in-Depth Strategies (pdf).\r\nThe following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine\r\nwhether they are present on a network.\r\nImport Hashes:\r\nSMB worm tool:\r\nImport hash: f6f48551d7723d87daeef2e840ae008f\r\nCharacterization: File Hash Watchlist\r\nNotes: \"SMB worm tool\"\r\n        Earliest PE compile Time: 20141001T072107Z\r\n        Most Recent PE compile Time: 20141001T072107Z\r\nImport hash: 194ae075bf53aa4c83e175d4fa1b9d89\r\nCharacterization: File Hash Watchlist\r\nNotes: \"SMB worm tool\"\r\n         Earliest PE compile Time: 20141001T120954Z\r\n         Most Recent PE compile Time: 20141001T142138Z\r\nLightweight backdoor:\r\nImport hash: f57e6156907dc0f6f4c9e2c5a792df48\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20110411T225224Z\r\n         Latest PE compile time: 20110411T225224Z\r\nImport hash: 838e57492f632da79dcd5aa47b23f8a9\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 2 of 16\n\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20110517T050015Z\r\n         Latest PE compile time: 20110605T204508Z\r\nImport hash: 11c9374cea03c3b2ca190b9a0fd2816b\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20110729T062417Z\r\n         Latest PE compile time: 20110729T062958Z\r\nImport hash: 7fb0441a08690d4530d2275d4d7eb351\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20120128T071327Z\r\n         Latest PE compile time: 20120128T071327Z\r\nImport hash: 7759c7d2c6d49c8b0591a3a7270a44da\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20120309T105837Z\r\n         Latest PE compile time: 20120309T105837Z\r\nImport hash: 7e48d5ba6e6314c46550ad226f2b3c67\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20120311T090329Z\r\n         Latest PE compile time: 20120311T090329Z\r\nImport hash: 0a87c6f29f34a09acecce7f516cc7fdb\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20120325T053138Z\r\n         Latest PE compile time: 20130513T090422Z\r\nImport hash: 25fb1e131f282fa25a4b0dec6007a0ce\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20130802T054822Z\r\n         Latest PE compile time: 20130802T054822Z\r\nImport hash: 9761dd113e7e6673b94ab4b3ad552086\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20130913T013016Z\r\n         Latest PE compile time: 20130913T013016Z\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 3 of 16\n\nImport hash: c905a30badb458655009799b1274205c\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20140205T090906Z\r\n         Latest PE compile time: 20140205T090906Z\r\nImport hash: 40adcd738c5bdc5e1cc3ab9a48b3df39\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20140320T152637Z\r\n         Latest PE compile time: 20140402T023748Z\r\nImport hash: 68a26b8eaf2011f16a58e4554ea576a1\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20140321T014949Z\r\n         Latest PE compile time: 20140321T014949Z\r\nImport hash: 74982cd1f3be3d0acfb0e6df22dbcd67\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Lightweight backdoor\"\r\n         Earliest PE compile time: 20140506T020330Z\r\n         Latest PE compile time: 20140506T020330Z\r\nProxy tool:\r\nImport hash: 734740b16053ccc555686814a93dfbeb\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20140611T064905Z\r\n         Latest PE compile time: 20140611T064905Z\r\nImport hash: 3b9da603992d8001c1322474aac25f87\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20140617T035143Z\r\n         Latest PE compile time: 20140617T035143Z\r\nImport hash: e509881b34a86a4e2b24449cf386af6a\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time : 20140618T064527Z\r\n         Latest PE compile time: 20140618T064527Z\r\nImport hash: 9ab7f2bf638c9d911c2c742a574db89e\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 4 of 16\n\nEarliest PE compile time: 20140724T011233Z\r\n         Latest PE compile time: 20140724T011233Z\r\nImport hash: a565e8c853b8325ad98f1fac9c40fb88\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20140724T065031Z\r\n         Latest PE compile time: 20140902T135050Z\r\nImport hash: 0bb82def661dd013a1866f779b455cf3\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20140819T024812Z\r\n         Latest PE compile time: 20140819T024812Z\r\nImport hash: b8ffff8b57586d24e1e65cd0b0ad9173\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20140902T172442Z\r\n         Latest PE compile time: 20140902T172442Z\r\nImport hash: 4ef0ad7ad4fe3ef4fb3db02cd82bface\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20141024T134136Z\r\n         Latest PE compile time: 20141024T134136Z\r\nImport hash: eb435e86604abced7c4a2b11c4637a52\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20140526T010925Z\r\n         Latest PE compile time: 20140526T010925Z\r\nImport hash: ed7a9c6d9fc664afe2de2dd165a9338c\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Proxy tool\"\r\n         Earliest PE compile time: 20140611T064904Z\r\nDestructive hard drive tool:\r\nImport hash: 8dec36d7f5e6cbd5e06775771351c54e\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Destructive hard drive tool\"\r\n         Earliest PE compile time: 20120507T151820Z\r\n         Latest PE compile time: 20120507T151820Z\r\nImport hash: a385900a36cad1c6a2022f31e8aca9f7\r\nCharacterization: File Hash Watchlist\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 5 of 16\n\nNotes: \"Destructive target cleaning tool\"\r\n         Earliest PE compile time: 20130318T003315Z\r\n         Latest PE compile time: 20130318T003315Z\r\nImport hash: 7bea4323807f7e8cf53776e24cbd71f1\r\nCharacterization: File Hash Watchlist\r\nNotes: \"Destructive target cleaning tool\"\r\n         Earliest PE compile time: 20130318T003319Z\r\n         Latest PE compile time: 20130318T003319Z\r\nName: d1c27ee7ce18675974edf42d4eea25c6.bin\r\nSize: 268579 bytes (268.6 KB)\r\nMD5: D1C27EE7CE18675974EDF42D4EEA25C6\r\nPE Compile Time: 2014-11-22 00:06:54\r\nThe malware has the following characteristics:\r\nWhile the original filename of this file is unknown, it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops\r\ndestructive malware: “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as\r\nan argument, and then terminated. The second instance of the dropper file installed itself as the “WinsSchMgmt” service\r\nwith “-k” as a command line argument, started the service, and then terminated. The “WinsSchMgmt” service executed the\r\nfile with “-k” as an argument, which started another instance of the file using “-s” as an argument. The “-s” instance dropped\r\nand executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to\r\nvictim IP addresses.\r\nName: net_ver.dat\r\nSize: 4572 bytes (4.6 KB)  (size will vary)\r\nMD5: 93BC819011B2B3DA8487F964F29EB934  (hash will vary)\r\nThis is a log file created by the dropper, and appended to as the scans progress  It contains what appear to be hostnames, IP\r\naddresses, and the number 2.   Entries in the file have the structure “HOSTNAME | IP Address | 2”.\r\nName: igfxtrayex.exe\r\nSize: 249856 bytes (249.9 KB)\r\nMD5: 760C35A80D758F032D02CF4DB12D3E55\r\nPE Compile Time: 2014-11-24 04:11:08\r\nThis file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no\r\nparameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three\r\ncopies of itself and places them in the same directory from which it was executed. These copies are named according to the\r\nformat “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a\r\ndifferent argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of\r\nthree hard-coded IP addresses in a random order to port 8080 or 8000. If a connection to the IP address cannot be made, it\r\nattempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The\r\nfollowing command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120-minute (2 hour) sleep\r\ncommand is issued after which the computer is shut down and rebooted.\r\nName: iissvr.exe\r\nSize: 114688 bytes (114.7 KB)\r\nMD5: E1864A55D5CCB76AF4BF7A0AE16279BA\r\nPE Compile Time: 2014-11-13 02:05:35\r\nThis file, when executed, starts a listener on localhost port 80. It has 3 files contained in the resource section; all xor’d with\r\n0x63.\r\nName: usbdrv3_32bit.sys\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 6 of 16\n\nSize: 24280 bytes (24.3 KB)\r\nMD5: 6AEAC618E29980B69721158044C2E544\r\nPE Compile Time: 2009-08-21 06:05:32\r\nThis SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode\r\napplications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.\r\nName: usbdrv3_64bit.sys\r\nSize: 28120 bytes (28.1 KB)\r\nMD5: 86E212B7FC20FC406C692400294073FF\r\nPE Compile Time: 2009-08-21 06:05:35\r\nThis SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode\r\napplications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.\r\nName: igfxtpers.exe\r\nSize: 91888 bytes (91.9 KB)\r\nMD5: e904bf93403c0fb08b9683a9e858c73e\r\nPE Compile Time: 2014-07-07 08:01:09\r\nA summary of the C2 IP addresses:\r\nIP Address Country Port Filename\r\n203.131.222.102 Thailand 8080\r\nDiskpartmg16.exe\r\nigfxtrayex.exe\r\nigfxtpers.exe\r\n217.96.33.164 Poland 8000\r\nDiskpartmg16.exe\r\nigfxtrayex.exe\r\n88.53.215.64 Italy 8000\r\nDiskpartmg16.exe\r\nigfxtrayex.exe\r\n200.87.126.116 Bolivia 8000 --\r\n58.185.154.99 Singapore 8080 --\r\n212.31.102.100 Cypress 8080 --\r\n208.105.226.235 United States -- igfxtpers.exe\r\nSnort signatures:\r\nSMB Worm Tool (not necessarily the tool itself):\r\nalert tcp any any -\u003e any any (msg:\"Wiper 1\"; sid:42000001; rev:1; flow:established; content:\"|be 64 ba f2 a8 64|\"; depth:6;\r\noffset:16; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Wiper 2\"; sid:42000002; rev:1; flow:established; content:\"|c9 06 d9 96 fc 37 23 5a fe f9\r\n40 ba 4c 94 14 98|\"; depth:16; classtype:bad-unknown;)\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 7 of 16\n\nalert tcp any any -\u003e any any (msg:\"Wiper 3\"; sid:42000003; rev:1; flow:established; content:\"|aa 64 ba f2 56|\"; depth:50;\r\nclasstype:bad-unknown;)\r\nalert ip any any -\u003e any any (msg:\"Wiper 4\"; sid:42000004; rev:1; content:\"|aa 74 ba f2 b9 75|\"; depth:74; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any [8000,8080] (msg:\"Wiper 5\"; sid:42000005; rev:1; flow:established,to_server; dsize:42;\r\nbyte_test:2,=,40,0,little; content:\"|04 00 00 00|\"; depth:4; offset:38; classtype:bad-unknown;)\r\nListening Implant:\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 1\"; sid:42000006; rev:1; flow:established; content:\"|0c 1f 1f 1f 4d 5a\r\n4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|\"; depth:22; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 2\"; sid:42000007; rev:1; flow:established; content:\"|d3 c4 d2 d1 ce cf\r\nd2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|\"; depth:18; classtype:bad-unknown;)\r\nalert ip any any -\u003e any any (msg:\"Listening Implant 3\"; sid:42000008; rev:1; content:\"|17 08 14 13 67 0f 13 13 17 67 15 02\r\n16 12 02 14 13 78 47 47|\"; depth:24; classtype:bad-unknown;)\r\nalert ip any any -\u003e any any (msg:\"Listening Implant 4\"; sid:42000009; rev:1; content:\"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a\r\n4e 4a 5a 4c 4b 20 1f|\"; depth:23; classtype:bad-unknown;)\r\nalert ip any any -\u003e any any (msg:\"Listening Implant 5\"; sid:42000010; rev:1; content:\"|15 02 14 17 08 09 14 02 67 75 77 77\r\n67 08 0c 66 66 66|\"; depth:22; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 6\"; sid:42000011; rev:1; flow:established; content:\"|09 22 33 30 28 35\r\n2c|\"; fast_pattern:only; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 7\"; sid:42000012; rev:1; flow:established; content:\"|13 2f 22 35 22 67\r\n26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|\"; fast_pattern:only; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 8\"; sid:42000013; rev:1; flow:established; content:\"|43 47 47 47 45 67\r\n47 47 43 47 47 47 44 67 47 47|\"; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 9\"; sid:42000014; rev:1; flow:established; content:\"|43 47 47 47 42 67\r\n47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|\"; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 10\"; sid:42000015; rev:1; flow:established; content:\"|d1 ce d2 d5 a1 c9\r\nd5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|\"; depth:18; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 11\"; sid:42000016; rev:1; flow:established; content:\"|17 08 14 13 67 0f\r\n13 13 17 67 15 02 16 12 02 14 13 78|\"; depth:18; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Listening Implant 12\"; sid:42000017; rev:1; flow:established; content:\"|0c 1f 1f 1f 4f 50\r\n4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|\"; classtype:bad-unknown;)\r\nLightweight Backdoor:\r\nalert tcp any 488 -\u003e any any (msg:\"Lightweight Backdoor 1\"; sid:42000018; rev:1; flow:established,from_server;\r\ncontent:\"|60 db 37 37 37 37 37 37|\"; fast_pattern:only; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any 488 (msg:\"Lightweight Backdoor 2\"; sid:42000019; rev:1; flow:established,to_server; content:\"|60\r\ndb 37 37 37 37 37 37|\"; fast_pattern:only; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Lightweight Backdoor 3\"; sid:42000020; rev:1; flow:established; content:\"|4c 4c|\";\r\ndepth:2; offset:16; content:\"|75 14 2a 2a|\"; distance:4; within:4; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Lightweight Backdoor 4\"; sid:42000021; rev:1; flow:established; content:\"|8a 10 80 c2\r\n67 80 f2 24 88 10|\"; fast_pattern:only; content:\"|8a 10 80 f2 24 80 ea 67 88 10|\"; classtype:bad-unknown;)\r\nalert tcp any 488 -\u003e any any (msg:\"Lightweight Backdoor 5\"; sid:42000022; rev:1; flow:established,from_server;\r\ncontent:\"|65 db 37 37 37 37 37 37|\"; fast_pattern:only; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any 488 (msg:\"Lightweight Backdoor 6\"; sid:42000023; rev:1; flow:established,to_server; content:\"|65\r\ndb 37 37 37 37 37 37|\"; fast_pattern:only; classtype:bad-unknown;)\r\nalert tcp any [547,8080,133,117,189,159] -\u003e any any (msg:\"Lightweight Backdoor 7\"; sid:42000024; rev:1;\r\nflow:established,from_server; content:\"|7b 08 2a 2a|\"; offset:17; content:\"|08 2a 2a 01 00|\"; distance:0; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Lightweight Backdoor 8\"; sid:42000025; rev:1; flow:established; content:\"|8a 10 80 ea\r\n62 80 f2 b4 88 10|\"; fast_pattern:only; content:\"|8a 10 80 f2 b4 80 c2 62 88 10|\"; classtype:bad-unknown;)\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 8 of 16\n\nalert tcp any any -\u003e any any (msg:\"Lightweight Backdoor 9\"; sid:42000026; rev:1; flow:established; content:\"|8a 10 80 c2\r\n4e 80 f2 79 88 10|\"; fast_pattern:only; content:\"|8a 10 80 f2 79 80 ea 4e 88 10|\"; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Lightweight Backdoor 10\"; sid:42000027; rev:1; flow:established;\r\ncontent:\"Sleepy!@#qaz13402scvsde890\"; fast_pattern:only; content:\"BC435@PRO62384923412!@3!\"; nocase;\r\nclasstype:bad-unknown;)\r\nProxy Tool:\r\nalert tcp any any -\u003e any any (msg:\"Proxy Tool 1\"; sid:42000028; rev:1; flow:established; content:\"|8a 10 80 c2 3a 80 f2 73\r\n88 10|\"; fast_pattern:only; content:\"|8a 10 80 f2 73 80 ea 3a 88 10|\"; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Proxy Tool 2\"; sid:42000029; rev:1; flow:established; content:!\"HTTP/1\"; content:\"|e2\r\n1d 49 49|\"; depth:4; fast_pattern; content:\"|49 49 49 49|\"; distance:4; within:4; classtype:bad-unknown;)\r\nalert tcp any any -\u003e any any (msg:\"Proxy Tool 3\"; sid:42000030; rev:1; flow:established; content:\"|82 f4 de d4 d3 c2 ca f5\r\nc8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|\"; fast_pattern:only; classtype:bad-unknown;)\r\nMalware associated with the cyber threat actor:\r\nalert tcp any any -\u003e any [8000,8080] (msg:\"WIPER4\";flow: established, to_server;dsize:42;content:\"|28\r\n00|\";depth:2;content:\"|04 00 00 00|\";offset:38;depth:4;sid:123;)\r\nHost Based Indicators\r\nBelow are potential YARA signatures to detect malware binaries on host machines:\r\nrule SMB_Worm_Tool\r\n{\r\n         strings:    \r\n        $STR1 = \"Global\\\\FwtSqmSession106829323_S-1-5-19\"\r\n        $STR2 = \"EVERYONE\"\r\n        $STR3 = \"y0uar3@s!llyid!07,ou74n60u7f001\"\r\n        $STR4 = \"\\\\KB25468.dat\"\r\n         condition:\r\n        ( uint16(0) == 0x5A4D or\r\n          uint16(0) == 0xCFD0 or\r\n          uint16(0) == 0xC3D4 or\r\n          uint32(0) == 0x46445025 or\r\n          uint32(1) == 0x6674725C)\r\n        and all of them\r\n}\r\nrule Lightweight_Backdoor1\r\n{\r\n    strings:\r\n        $STR1 = \"NetMgStart\"\r\n        $STR2 = \"Netmgmt.srg\"\r\n             condition:\r\n        (uint16(0) == 0x5A4D) and all of them\r\n}\r\nrule LightweightBackdoor2\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 9 of 16\n\n{\r\n    strings:\r\n        $STR1 = \"prxTroy\" ascii wide nocase\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\n}\r\nrule LightweightBackdoor3\r\n{\r\n         strings:\r\n        $STR1  = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF\r\n2E C6 45 F0 74 C6 45 F1  62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\n}\r\nrule LightweightBackdoor4\r\n{\r\n    strings:    \r\n        $STR1  = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 }\r\n// 'ansi.nls' being moved to ebp\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\n}\r\nrule LightweightBackdoor5\r\n{\r\n    strings:\r\n        $STR1  = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 }\r\n// 'tlvc.nls' being moved to ebp\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\n}\r\nrule LightweightBackdoor6\r\n{\r\n    strings:\r\n        $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}\r\n        $STR2 = { 8A 10 80?? 79 80 ?? 4E 88 10}\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 10 of 16\n\n}\r\nrule ProxyTool1\r\n{\r\n    strings:\r\n        $STR1 = \"pmsconfig.msi\" wide\r\n        $STR2 = \"pmslog.msi\" wide\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and any of them\r\n}\r\nrule ProxyTool2\r\n{\r\nstrings:\r\n    $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2\r\nDF C2 87 8A CC 87 00 } // '%SystemRoot%\\System32\\svchost.exe -k' xor A7\r\ncondition:\r\n    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\n}\r\nrule ProxyTool3\r\n{\r\n    strings:\r\n        $STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and $STR2\r\n}\r\nrule DestructiveHardDriveTool1\r\n{\r\n    strings:\r\n        $str0= \"MZ\"\r\n        $str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }\r\n        $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08 F3 A5 8B 7C 24 30 85 FF 7E 3A 8B\r\n74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C\r\n88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }\r\n         condition:\r\n        $str0 at 0 and $xorInLoop and #str1 \u003e 300\r\n}\r\nrule DestructiveTargetCleaningTool1\r\n{\r\n    strings:\r\n        $s1  = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 11 of 16\n\ncondition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them\r\n}\r\nrule DestructiveTargetCleaningTool2\r\n{\r\n    strings:\r\n        $secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00\r\n89 74 24 34 89 74 24   38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ??\r\n?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14\r\n0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83\r\nE8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C\r\n24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0\r\nB9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81\r\nFE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84\r\nFA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51\r\n6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85\r\nC0 7C 5A   7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04\r\n2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B\r\nD8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15\r\n?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C\r\n24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83\r\nC4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }\r\n         condition:\r\n        $secureWipe\r\n}\r\nrule DestructiveTargetCleaningTool3\r\n{\r\n         strings:\r\n        $S1_CMD_Arg = \"/install\" fullword\r\n        $S2_CMD_Parse= \"\\\"%s\\\"  /install \\\"%s\\\"\" fullword\r\n        $S3_CMD_Builder= \"\\\"%s\\\"  \\\"%s\\\" \\\"%s\\\" %s\" fullword\r\n         condition:\r\n        all of them\r\n}\r\nrule DestructiveTargetCleaningTool4\r\n{\r\n    strings:\r\n        $BATCH_SCRIPT_LN1_0 = \"goto x\" fullword\r\n        $BATCH_SCRIPT_LN1_1 = \"del\" fullword\r\n        $BATCH_SCRIPT_LN2_0 = \"if exist\" fullword\r\n        $BATCH_SCRIPT_LN3_0 = \":x\" fullword\r\n        $BATCH_SCRIPT_LN4_0 = \"zz%d.bat\" fullword\r\n         condition:\r\n        (#BATCH_SCRIPT_LN1_1 == 2) and all of them\r\n}\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 12 of 16\n\nrule DestructiveTargetCleaningTool5\r\n{\r\n    strings:\r\n        $MCU_DLL_ZLIB_COMPRESSED2 = { 5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71\r\nD5 52 1E 2A 0D }\r\n         condition:\r\n        $MCU_DLL_ZLIB_COMPRESSED2\r\n}\r\nrule DestructiveTargetCleaningTool6\r\n{\r\n    strings:\r\n        $MCU_INF_StartHexDec =\r\n{010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A503A0D2A000E00A26E15104556766572636C7669642E6\r\n        $MCU_INF_StartHexEnc =\r\n{6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263E1F5413531F1E004543544C\r\n         condition:\r\n        $MCU_INF_StartHexEnc or $MCU_INF_StartHexDec\r\n}\r\nrule DestructiveTargetCleaningTool7\r\n{\r\n    strings:\r\n        $a = \"SetFilePointer\"\r\n        $b = \"SetEndOfFile\"\r\n        $c = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ff D5 56 ff 15 ?? ?? ?? ?? 56}\r\n         condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them\r\n}\r\nrule DestructiveTargetCleaningTool8\r\n{\r\n    strings:\r\n        $license =\r\n{E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006\r\n        $PuTTY= {50007500540054005900}\r\n         condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY\r\n}\r\n  rule Malwareusedbycyberthreatactor1\r\n{\r\n    strings:\r\n        $heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????\r\n07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????\r\n000085C0750FFF35???????0FF15???????033C0C36A0158C3}\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 13 of 16\n\n$heapCreateFunction = { 55 8B EC B8 2C 12 00 00 E8 ?? ?? FF FF 8D 85 68 FF FF FF 53 50 C7 85 68 FF FF\r\nFF 94 00 00 00 FF 1? ?? ?? ?? ?0 85 C0 74 1A 83 BD 78 FF FF FF 02 75 11 83 BD 6C FF FF FF 05 72 08 6A 01 58 E9 02\r\n01 00 00 8D 85 D4 ED FF F6 89 01 00 00 05 06 8? ?? ?? ?? 0F F1 5? ?? ?? ?? 08 5C 00 F8 4D 00 00 00 03 3D B8 D8 DD\r\n4E DF FF F3 89 DD DF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 5D 4E DF FF F6\r\nA1 65 06 8? ?? ?? ?? 0E 8? ?? ?0 00 08 3C 40 C8 5C 07 50 88 D8 5D 4E DF FF FE B4 98 D8 56 4F EF FF F6 80 40 10 00\r\n05 05 3F F1 5? ?? ?? ?? 03 89 D6 4F EF FF F8 D8 D6 4F EF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13\r\n81 97 5E D8 D8 56 4F EF FF F5 08 D8 5D 4E DF FF F5 0E 8? ?? ?? ?? ?5 95 93 BC 37 43 E6 A2 C5 0E 8? ?? ?? ?? ?5 93\r\nBC 35 97 43 04 08 BC 83 81 87 40 E8 03 93 B7 50 48 81 9E B0 14 13 81 97 5F 26 A0 A5 35 0E 8? ?? ?0 00 08 3C 40 C8\r\n3F 80 27 41 D8 3F 80 37 41 88 3F 80 17 41 38 D4 5F C5 0E 89 8F EF FF F8 07 DF C0 65 91 BC 08 3C 00 35 BC 9C}\r\n                 $getMajorMinorLinker = {568B7424086A00832600FF15???????\r\n06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}\r\n        $openServiceManager = {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}\r\n         condition:\r\n             all of them\r\n}\r\nrule Malwareusedbycyberthreatactor2\r\n{\r\n    strings:\r\n        $str1 = \"_quit\"\r\n        $str2 = \"_exe\"\r\n        $str3 = \"_put\"\r\n        $str4 = \"_got\"\r\n        $str5 = \"_get\"\r\n        $str6 =\"_del\"\r\n        $str7 = \"_dir\"\r\n        $str8 = { C7 44 24 18 1F F7}\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0  or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\n}\r\nrule Malwareusedbycyberthreatactor3\r\n{\r\n    strings:\r\n        $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }\r\n         condition:\r\n        (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) ==\r\n0x6674725C) and all of them\r\n}\r\nRecommended Security Practices\r\nBecause of the highly destructive functionality of the malware, an organization infected with the malware could experience\r\noperational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to\r\norganizations may vary depending on the type and number of systems impacted.\r\nTactical Mitigations\r\nImplement the indicators of compromise within your systems for detection and mitigation purposes.\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 14 of 16\n\nEncourage users to transfer critical files to network shares, to allow for central backed up.\r\nExecute daily backups of all critical systems.\r\nPeriodically execute an “offline” backup of critical files to removable media.\r\nEstablish emergency communications plans should network resources become unavailable.\r\nIsolate any critical networks (including operations networks) from business systems.\r\nIdentify critical systems and evaluate the need for having on-hand spares to quickly restore service.\r\nEnsure antivirus is up to date.\r\nDisable credential caching for all desktop devices with particular importance on critical systems such as servers and\r\nrestrict the number of cached credential for all portable devices to no more than three if possible. This can be\r\naccomplished through a Group Policy Object (GPO).\r\nDisable AutoRun and Autoplay for any removable media device.\r\nPrevent or limit the use of all removable media devices on systems to limit the spread or introduction of malicious\r\nsoftware and possible exfiltration data, except where there is a valid business case for use. This business case must be\r\napproved by the organization Chief IT Security Officer, with policy/guidance on how such media should be used.\r\nConsider restricting account privileges. It is our recommendation that all daily operations should be executed using\r\nstandard user accounts unless administrative privileges are required for that specific function. Configure all standard\r\nuser accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and\r\nadministrative accounts should have access only to services required for nominal daily duties, enforcing the concept\r\nof separation of duties. Lastly, disable Web and email capabilities on administrative accounts. Compromise of admin\r\naccounts is one vector that allows malicious activity to become truly persistent in a network environment.\r\nEnsure that password policy rules are enforced and Admin password values are changed periodically.\r\nConsider prohibiting hosts within the production environment or DMZ from sharing an Active Directory enterprise\r\nwith hosts on other networks. Each environment should have separate forests within Active Directory, with no trust\r\nrelationships allowed between the forests if at all possible. If necessary, the trust relationships should be one-way\r\nwith the low integrity environment trusting the higher integrity environment.\r\nConsider deployment of a coaching page with click through acceptance; these are traditionally deployed in an\r\nenvironment to log the acceptance of network acceptable use policy or to notify users of monitoring. Coaching pages\r\nalso provide some measure of protection from automated malicious activity. This occurs because automated malware\r\nis normally incapable of physically clicking an acceptance radial button. Automated malware is traditionally\r\nhardcoded to execute, then retrieve commands or additional executables from the Internet. If the malware is unable to\r\ninitiate an active connection, the full train of infection is potentially halted. The danger still exists that the physical\r\nuser will authorize access, but through the use of coaching pages, infections can be limited or at least the rate of\r\ninfection reduced.\r\nMonitor logs -- Maintain and actively monitor a centralized logging solution that keeps track of all anomalous and\r\npotentially malicious activity.\r\nEnsure that all network operating systems, web browsers, and other related network hardware and software remain\r\nupdated with all current patches and fixes.\r\nStrategic Mitigations\r\nOrganizations should review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities\r\nencompassing planning, preparation, detection, and response for such an event.\r\nAlways keep your patch levels up to date, especially on computers that host public services accessible through the\r\nfirewall, such as HTTP, FTP, mail, and DNS services.\r\nBuild host systems, especially critical systems such as servers, with only essential applications and components\r\nrequired to perform the intended function. Any unused applications or functions should be removed or disabled, if\r\npossible, to limit the attack surface of the host.\r\nImplement network segmentation through V-LANs to limit the spread of malware.\r\nConsider the deployment of Software Restriction Policy set to only allow the execution of approved software\r\n(application whitelisting)\r\nRecommend the whitelisting of legitimate executable directories to prevent the execution of potentially malicious\r\nbinaries.\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 15 of 16\n\nConsider the use of two-factor authentication methods for accessing privileged root level accounts or systems.\r\nConsider deploying a two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling\r\nprohibited for secure remote access.\r\nDeny direct Internet access, except through the use of proxies for Enterprise servers and workstations. Perform\r\nregular content filtering at the proxies or external firewall points of presence. Also consider the deployment of an\r\nexplicit versus transparent proxy policy.\r\nImplement a Secure Socket Layer (SSL) inspection capability to inspect both ingress and egress encrypted network\r\ntraffic for potential malicious activity.\r\nIsolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization\r\ntechnology. This will limit the damage sustained from a compromise or attack of a single network component.\r\nImplement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing\r\nFoundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). It is\r\ndifficult to enforce corporate policies, detect intrusions, and conduct forensic analysis or remediate compromises on\r\nnon-corporate owned devices.\r\nMinimize network exposure for all control system devices. Control system devices should not directly face the\r\nInternet.\r\nPlace control system networks behind firewalls, and isolate or air gap them from the business network.\r\nWhen remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN\r\nis only as secure as the connected devices.\r\nIndustrial Control System (ICS)-CERT and US-CERT remind organizations to perform proper impact analysis and\r\nrisk assessment prior to taking defensive measures.\r\nRevisions\r\nDecember 19, 2014: Initial Release|December 24, 2014: Updates to information in the Solutions section.|January 3, 2020:\r\nCorrected YARA rules.\r\nSource: https://www.us-cert.gov/ncas/alerts/TA14-353A\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-353A\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA14-353A"
	],
	"report_names": [
		"TA14-353A"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434119,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1bc3116477053320d8ff7afe140245f5c6ee39c4.pdf",
		"text": "https://archive.orkl.eu/1bc3116477053320d8ff7afe140245f5c6ee39c4.txt",
		"img": "https://archive.orkl.eu/1bc3116477053320d8ff7afe140245f5c6ee39c4.jpg"
	}
}