# Threat Advisory: STRT-TA02 - Destructive Software **[splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html](https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html)** January 27, 2022 By [Splunk Threat Research Team January 27, 2022](https://www.splunk.com/en_us/blog/author/secmrkt-research.html) [The Splunk Threat Research Team is monitoring open channel intelligence and government alerts](https://www.hstoday.us/federal-pages/dhs/cisa-urges-organizations-to-implement-immediate-cybersecurity-measures-to-protect-against-potential-threats/) indicating the possibility of malicious campaigns using destructive software in relation to ongoing geopolitical events. Based on historical data of named geopolitical actors, the use of destructive payloads has been observed in past campaigns. These destructive payloads aim to disable targeted hosts beyond ----- recovery and seek to disrupt, deny, and degrade an organization s technology and services, especially Operational Technology which is the software and hardware directly related to the monitoring and operation of industrial systems (i.e Utilities such as telecommunications, electricity, water, gas, etc). If recent Ransomware campaigns are an indication of the effects malicious campaigns against healthcare, technology, food supply, and gas supply can have in real life (Colonial pipeline outage affected 45% of U.S East Coast fuel supply), then destructive payloads whose sole use is to render hosts unusable should be considered a possibility under the current geopolitical indicators. **The Attack: The focus of this threat advisory is on a recently reported destructive payload by Microsoft** MSTIC under the name of WhisperGate. We break down the different components and functions of how this payload works and provide a series of detections to mitigate and defend against this threat. Although we cannot prevent patient 0, we can, however, measure and recover execution artifacts which if used timely and operationalized as analytics and playbooks can provide analysts a tool to isolate, contain and prevent further damage. Further on, this data may help understand the extent and the TTPs of current and future campaigns where these payloads may be in use. Ransomware is by itself a destructive payload, however, some past campaigns have shown the use of multiple payloads some of them with Ransomware characteristics used as decoys, and others with the same Ransomware characteristics, however, they execute destructive payloads at targeted organizations (i.e Hard disk erasure). ## “WhisperGate” Indicators And Analysis: Stage 1: MBR Wiper This wiper malware contains code that affects the Master Boot Record (MBR) sector of the compromised host. This wiper will try to overwrite or replace the original MBR with the destructive MBR code. The screenshot below shows a code snippet to overwrite the MBR with the malicious master boot record code containing the ransom note. ----- ## Stage2: Discord Downloader ### Delay Of Execution This stage 2 malware contains a possible defense evasion that might bypass AV detection technology like emulation or even sandbox testing that monitors process behavior in a period of time (let say less than 20 sec.). The evasion is achieved by running a base64 encoded powershell that will delay its execution. The screenshot below shows the code it runs twice to sleep for 20 sec. ----- Encoded command ``` Powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== ``` Decoded command ``` Powershell Start-Sleep -s 10 ### Discord Download ``` After the sleep, Stage 2 will try to download a “.jpg” file in the discord server. The downloaded file is another .net compiled malware which is the stage 3 that is in reverse form. By using a simple python script you can reverse it to make it a valid PE executable. Below is the screenshot of how it downloads the stage 3 malware in the discord server. ## Stage 3: Defense Evasion and Process Injection (File Corrupter) ----- The stage3 is another .net compile malware that will load its resource data to decrypt it, which is the advancedrun.exe and the file corrupter malware. ### Evading Windows Defender AV As soon as the stage3 executes, it will drop advancedrun.exe and a vbscript in %temp% folder to evade Windows Defender AV. The screenshot below shows how “Advacedrun.exe (Nirsoft Tool) was used to disable WinDefender service and remove or delete Windows Defender directory in Programdata folder. ``` “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\sc.exe” /WindowState 0 /CommandLine “stop WinDefend” /StartDirectory “” /RunAs 8 /Run “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:\ProgramData\Microsoft\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run ``` The .vbs file drop in the%temp% folder will add C:\ drive to the exclusion path of Windows Defender. ----- ### Process Injection - File Corrupter Malware It will create a suspended process of InstallUtil.exe in %temp% folder to inject the file corrupter malware. Below is the CreateProcess API call for the said file to prepare its injection. By Extracting the file that it will inject in InstallUtil.exe using WriteProcessMemory API, we were able to grab the corruptor malware. This malware will first enumerate all the drive types connected on the compromised machine. It looks specifically for “Fixed” or “Remote” drives as a starting point in traversing all possible files to corrupt. If it finds a file during its enumeration, It will convert its string filename in all capital characters then check if the file extension is in its list. Below is the screenshot of code that checks the file extension and the list of its targeted file type. ----- File extension list .HTML .HTM .SHTML .XHTML .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP6 .PHP7 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .OST .MSG .EML .VSD .VSDX .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .ONETOC2 .SNT .JPEG .JPG .DOCB .DOCM .DOT .DOTM .DOTX .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .PPAM .POTX .POTM .EDB .HWP .602 .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .CGM .SLN .TIF .TIFF .NEF .PSD .AI .SVG .DJVU.SH .CLASS .JAR .BRD .SCH .DCH .DIP .PL .VB .VBS .PS1 .BAT .CMD .JS .ASM .PAS .CPP .CS .SUO .ASC .LAY6 .LAY .MML .SXM .OTG .ODG .UOP .STD .SXD .OTP .ODP .WB2 .SLK .DIF .STC .SXC .OTS .ODS .3DM .MAX .3DS .UOT .STW .SXW .OTT .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .RB .GO .JAVA .INC .WAR .PY .KDBX .INI .YML .PPK .LOG .VDI .VMDK .VHD .HDD .NVRAM .VMSD .VMSN .VMSS .VMTM .VMX .VMXF .VSWP .VMTX .VMEM .MDF .IBD .MYI .MYD .FRM .SAV .ODB .DBF .DB .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .SQ3 .ARC .PAQ .BZ2 .TBK .BAK .TAR .TGZ .GZ .7Z .RAR .ZIP .BACKUP .ISO .VCD .BZ .CONFIG If the file extension is in its list, it will generate a random value that will serve as the file extension of its corrupted file, then it will mem allocate with size of 0x100000 bytes and fill it with “0xCC” using memset API. After that it will open the target file, overwrite it with the allocated memory fill of 0xCC bytes and rename it with the random generated file extension. ----- Below is the screenshot during the corruption process of this malware, and how it overwrites the file with 0xCC that makes it not recoverable. ### Ping Sleep and the Melting Batch Script This corruptor malware will try to delete itself using the known batch script command like in the screenshot below. Before that, it also used a ping utility tool to generate sleep for 4-5 sec. ----- ## Detections ### Ping Sleep Batch Command This analytic will identify the possible execution of ping sleep batch commands. This technique was seen in several malware samples and is used to trigger sleep times without explicitly calling sleep functions or commandlets. The goal is to delay the execution of malicious code and bypass detection or sandbox analysis. ``` | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*>*") OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*>*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` ### Powershell Remove Windows Defender Directory ``` This analytic will identify a suspicious PowerShell command used to delete the Windows Defender folder. This technique was seen used by the WhisperGate malware campaign where it used Nirsoft's advancedrun.exe to gain administrative privileges to then execute a PowerShell command to delete the Windows Defender folder. ----- ``` p g g | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ### Suspicious Process With Discord DNS Query ``` This analytic identifies a process making a DNS query to Discord, a well known instant messaging and digital distribution platform. Discord can be abused by adversaries, as seen in the WhisperGate campaign, to host and download malicious external files. A process resolving a Discord DNS name could be an indicator of malware trying to download files from Discord for further execution. ``` `sysmon` EventCode=22 QueryName IN ("*discord*") process_path != "*\\AppData\\Local\\Discord\\*" AND process_path != "*\\Program Files*" AND process_name != "discord.exe" | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryStatus process_name QueryResults Computer process_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` ----- ### Excessive File Deletion In WinDefender Folder This analytic will identify excessive file deletion events in the Windows Defender folder. This technique was seen in the WhisperGate malware campaign in which adversaries abused Nirsoft's advancedrun.exe to gain administrative privilege to then execute PowerShell commands to delete files within the Windows Defender application folder. ``` `sysmon` EventCode=23 TargetFilename = "*\\ProgramData\\Microsoft\\Windows Defender*" | stats values(TargetFilename) as deleted_files min(_time) as firstTime max(_time) as lastTime count by user EventCode Image ProcessID Computer |where count >=50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ### Windows InstallUtil in Non Standard Path ``` The following analytic identifies the Windows binary InstallUtil.exe running from a non-standard location. ----- ### Windows NirSoft AdvancedRun The following analytic identifies the use of AdvancedRun.exe. AdvancedRun.exe has similar capabilities as other remote programs like psexec. ### Windows DotNet Binary in Non Standard Path The following analytic identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. ----- ## Splunk Security Content **Name** **Technique** **ID** **Tactic** **Description** powershell windows [defender](https://research.splunk.com/endpoint/powershell_windows_defender_exclusion_commands/) exclusion commands windows defender exclusion registry entry executables or script [creation in](https://research.splunk.com/endpoint/executables_or_script_creation_in_suspicious_path/) suspicious path [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1036](https://attack.mitre.org/techniques/T1036/) Defense Evasion This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This analytic will detect a suspicious process that modifies a registry related to windows defender exclusion feature. This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows. This technique is used by adversaries to evade detection. The suspicious file paths are known paths used in the wild and are not common to have executable or scripts. ----- add or set windows defender exclusion attempt to [stop security](https://research.splunk.com/endpoint/attempt_to_stop_security_service/) service wscript or cscript suspicious child process process deleting its process file path high file [deletion](https://github.com/splunk/security_content/blob/develop/detections/endpoint/high_file_deletion_frequency.yml) frequency suspicious [process file](https://research.splunk.com/endpoint/suspicious_process_file_path/) path CMD Carry Out String Command Parameter Impacket Lateral [Movement](https://research.splunk.com/endpoint/impacket_lateral_movement_commandline_parameters/) Commandline Parameters [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1021](https://attack.mitre.org/techniques/T1021/) [T1021.002](https://attack.mitre.org/techniques/T1021/002/) [T1021.003](https://attack.mitre.org/techniques/T1021/003/) [T1047](https://attack.mitre.org/techniques/T1047/) [T1543.003](https://attack.mitre.org/techniques/T1543/003/) [T1134.004](https://attack.mitre.org/techniques/T1134/004/) [T1543](https://attack.mitre.org/techniques/T1543/) [T1055](https://attack.mitre.org/techniques/T1055/) [T1134](https://attack.mitre.org/techniques/T1134/) Defense Evasion, Privilege Escalation, [Persistence,](https://attack.mitre.org/tactics/TA0003) This analytic will detect a suspicious process commandline related to windows defender exclusion feature. This command is abused by adversaries, malware authors and red teams to bypass Windows Defender Antivirus products by excluding folder path, file path, process, extensions and etc. from its real time or schedule scan to execute their malicious code. This search looks for attempts to stop security-related services on the endpoint. This analytic is to detect a suspicious spawned process by wscript or cscript process. This technique was a common technique used by adversaries and malware to execute different LOLBIN, other scripts like powershell or spawn a suspended process to inject its code as a defense evasion. This detection is to identify a suspicious process that tries to delete the process file path related to its process. [T1070](https://attack.mitre.org/techniques/T1070/) Defense Evasion [T1485](https://attack.mitre.org/techniques/T1485/) [Impact](https://attack.mitre.org/tactics/TA0040) This detection detects a high amount of file deletions in a short time for specific file types. [T1543](https://attack.mitre.org/techniques/T1543/) [Persistence,](https://attack.mitre.org/tactics/TA0003) Privilege Escalation The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. [T1059.003](https://attack.mitre.org/techniques/T1059/003/) [Execution](https://attack.mitre.org/tactics/TA0002) The following analytic identifies command-line arguments where cmd.exe /c is used to execute a program. cmd /c is used to run commands in MS-DOS and terminate after command or process completion. Lateral Movement, [Execution,](https://attack.mitre.org/tactics/TA0002) [Persistence,](https://attack.mitre.org/tactics/TA0003) Privilege Escalation This analytic looks for the presence of suspicious command line parameters typically present when using Impacket tools. ----- Suspicious Process DNS [Query Known](https://research.splunk.com/endpoint/suspicious_process_dns_query_known_abuse_web_services/) Abuse Web Services Malicious PowerShell [Process -](https://research.splunk.com/endpoint/malicious_powershell_process_-_encoded_command/) Encoded Command Suspicious Process With Discord DNS Query Ping Sleep [Batch](https://splunkresearch.com/endpoint/ping_sleep_batch_command/) Command Powershell Remove [Windows](https://splunkresearch.com/endpoint/powershell_remove_windows_defender_directory/) Defender Directory Windows InstallUtil in Non Standard Path Windows DotNet Binary in Non Standard Path [T1059.005](https://attack.mitre.org/techniques/T1059/005/) [Execution](https://attack.mitre.org/tactics/TA0002) This analytic detects a suspicious process making a DNS query via known, abused text-paste web services, VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. [T1027](https://attack.mitre.org/techniques/T1027/) Defense Evasion The following analytic identifies the use of the EncodedCommand PowerShell parameter. This is typically used by Administrators to run complex scripts, but commonly used by adversaries to hide their code. [T1059.005](https://attack.mitre.org/techniques/T1059/005/) [Execution](https://attack.mitre.org/tactics/TA0002) This analytic detects a suspicious process making a DNS query via known, abused VoIP, instant messaging, and digital distribution platforms used to download external files. This technique is abused by adversaries, malware actors, and red teams to download a malicious file on the target host. [T1497.003](https://attack.mitre.org/techniques/T1497/003/) Defense Evasion, [Discovery](https://attack.mitre.org/tactics/TA0007) [T1562.001](https://attack.mitre.org/techniques/T1562/001/) Defense Evasion [T1218.004](https://attack.mitre.org/techniques/T1218/004/) Defense Evasion [T1036.003](https://attack.mitre.org/techniques/T1036/003/) Defense Evasion This analytic is to detect a possible ping sleep batch command. This technique was seen in several malware and adversaries to trigger sleep without calling sleep function or commandlets to delay its execution to bypass detection and sandbox analysis. This analytic is to detect a suspicious powershell command to delete Windows Defender folder. Identifies the Windows binary InstallUtil.exe running from a non-standard location. Identifies native .net binaries within the Windows operating system that may be abused by adversaries by moving it to a new directory. ----- Excessive File Deletion In WinDefender Folder Windows NirSoft AdvancedRun ## IOC: [T1485](https://attack.mitre.org/techniques/T1485/) [Impact](https://attack.mitre.org/tactics/TA0040) This analytic is to detect suspicious excessive file deletion events in Windows Defender folder. [T1588.002](https://attack.mitre.org/techniques/T1588/002/) Resource Development Identifies the use of AdvancedRun.exe File name Hashes - Sha256 Stage1 - Mbr wiper a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 Stage2 - Discord downloader dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 Stage3 - not fix 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 Stage3 - fix (tbopbh.dll) 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d advancedrun.exe cd5cb94cba8f2d5de82cfb548d21066b5bd79a0e8f721e86c464e5ad50f85d5b File Corrupter malware 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 Nmddfrqqrbyjeygggda.vbs db5a204a34969f60fe4a653f51d64eee024dbf018edea334e8b3df780eda846f ## Mitigation [As outlined in CISA Alert (AA22-011A) and other CISA recently released a communication on how to](https://us-cert.cisa.gov/ncas/alerts/aa22-011a) Implement Cybersecurity Measures in order to protect against potential critical threats, here are some steps organizations can take right now in order to protect themselves. Ensure software is up to date, prioritize updates that address known exploited vulnerabilities. Splunk ESCU has extensive coverage of destructive software including ransomware and crime carrier payloads. Download ESCU and perform some preventative detection and monitoring for these threats. Test, verify, and validate your perimeter defenses and remote access policies Apply equivalent security policies within your organization perimeter to your Cloud resources. Ensure there are disaster recovery, business continuity, and incident response resources on standby in case of intrusion or attack. ----- ## Learn More [You can find the latest content about security analytic stories on research.splunk.com. For a full list of](https://research.splunk.com/) [security content, check out the release notes on](https://docs.splunk.com/Documentation/ESSOC/3.21.0/RN/Enhancements) [Splunk Docs.](https://docs.splunk.com/Documentation/ESSOC) [ESCU v3.34.0](https://github.com/splunk/security_content/releases/tag/v3.34.0) ## Feedback Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the [Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk](https://splunk-usergroups.slack.com/) user groups on Slack. ## Contributors We would like to thank the following for their contributions to this post: Rod Soto Teoderick Contreras Michael Haag Jose Hernandez Lou Stella Mauricio Velazco Posted by **[Splunk Threat Research Team](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)** The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the [team replicates attacks which are stored as datasets in the Attack Data repository.](https://github.com/splunk/attack_data/) ----- Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more. [Read more Splunk Security Content.](https://github.com/splunk/security_content) -----