WIPER MALWARE: ATTACKING FROM INSIDE Why some attackers are choosing to get in, delete files, and get out, rather than try to reap financial benefit from their malware. AUTHORED BY VITOR VENTURA WITH CONTRIBUTIONS FROM MARTIN LEE EXECUTIVE SUMMARY from system impact. Some wipers will destroy systems, but not necessarily the data. On the In a digital era when everything and everyone other hand, there are wipers that will destroy is connected, malicious actors have the perfect data, but will not affect the systems. One cannot space to perform their activities. During the past determine which kind has the biggest impact, few years, organizations have suffered several because those impacts are specific to each kinds of attacks that arrived in many shapes organization and the specific context in which and forms. But none have been more impactful the attack occurs. However, an attacker with the than wiper attacks. Attackers who deploy wiper capability to perform one could perform the other. malware have a singular purpose of destroying or disrupting systems and/or data. The defense against these attacks often falls back to the basics. By having certain Unlike malware that holds data for ransom protections in place — a tested cyber security (ransomware), when a malicious actor decides incident response plan, a risk-based patch to use a wiper in their activities, there is no management program, a tested and cyber direct financial motivation. For businesses, this security-aware business continuity plan, often is the worst kind of attack, since there is and network and user segmentation on top no expectation of data recovery. of the regular software security stack — an Another crucial aspect of a wiper attack is the organization dramatically increases its fear, uncertainty and doubt that it generates. resilience against these kind of attacks. In the past, wiper attacks have been used by malicious actors with a dual purpose: Generate INTRODUCTION social destabilization and sending a public message, while also destroying all traces of Malware with destructive payloads has their activities. Given that the malicious actor been around since the early days of virus has just revealed its presence, the doubt and development. However, the delivery methods uncertainty about what happened before the and the destructive level have evolved. For attack raises a lot of questions. the past five years, we have seen the rise of ransomware with CryptoLocker and TeslaCrypt, • How did they get in? among others. These have earned huge • How long were they here? amounts of money for their operators. In • Did they exfiltrate any of our data? these cases, the operators would go through • Can we recover safely? a great deal of effort to establish a reputation regarding the recovery of data. The questions above become a CISO’s worst nightmare, preying on the mind while trying to But just as ransomware was on the rise in the support the recovery of business operations as mainstream, more attackers also began to use quickly and safely as possible. targeted wiper malware. A wiper is a malware with the sole intention of destroying systems A wiper’s destructive capability can vary, and/or data, usually causing great financial ranging from the overwriting of specific files, and/or reputation damage. The motivation to the destruction of the entire filesystem. behind these attacks may be political, aimed at The amount of data impacted will be a direct generating publicity, or it can also be pure and consequence of the technique used. Which, of simple artifact destruction with the intention of course, will have direct impact on the business preventing a forensic investigation. In the latter, — the harder the data/system recovery process this is usually preceded by data-gathering and becomes, the bigger the business impact. exfiltration operations, which recently became It is important to distinguish the data impact CISOs' biggest concerns regarding cyber attacks. © 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 2 of 11 One of the first incidents of wiper malware that amount. This is just enough to destroy was the Shamoon attack in 2012, after which the headers of the files, which renders them several additional events have occurred, useless. Other wipers will write a certain such as Shamoon2, BlackEnergy and Nyetya/ amount of bytes every other amount. For NotPetya where the pure destruction/disruption instance, the malware will write 100 kilobytes of operations seemed to be the objective. of data every five megabytes sequentially through the hard disk. This means that the wiper will destroy files at random without any ANATOMY OF A WIPER predictable pattern. Both methods may be followed by the destruction of the master file DESTRUCTIVE PAYLOAD table, which is where the Windows file system A wiper can go through several steps during (NTFS for recent versions) keeps records of its activity, depending on its capabilities the file locations and associated metadata. and techniques used to perform the data/ This last step makes advanced recovery tools system destruction. The effectiveness of the practically impossible to use due to the lack of destructive component of a wiper is directly information to recover the files. related to the speed at which it can perform As mentioned before, in order to perform these the activities. Usually a wiper has three activities, the wiper may need to use a custom attack vectors: files (data), boot section of the bootloader, which will perform the destruction operating system and backups of system and upon reboot, thus bypassing the operating data. The backup destruction is commonly system protections. done by deleting the volume shadow copies But there is another way. In the Shamoon attacks, and the backups. This can be done easily by the authors used a trial version of a legitimate the execution of some legitimate operating driver to get access to the filesystem, bypassing system command-line tools. The boot section the operating system API. This bypasses any can be done in two ways, depending on the protections to files enforced by the operating purpose. It can simply erase the first 10 system, and allows for the destruction of files sectors of the physical disks (master boot while the system is still running. record location), or the malware can rewrite these first 10 sectors with a new boot loader Obviously, these techniques require the that will perform additional damage. Either adequate privilege level and/or operating way, the original operating system becomes system. That is why some wipers will fall back unbootable. Usually, along with master boot from one technique to the other depending on record destruction, the wipers will also use the conditions of the victim’s system. operating system command-line utilities to Recently, we have also saw Olympic Destroyer destroy the recovery console. Both actions — disabling all services on the operating system. boot section and backup destruction — can be This alone does not destroy data, but it makes performed quickly. The activity that takes the the recovery of the system almost impossible longest to perform is the actual file destruction. without reinstallation, which creates a service To be more efficient, most wipers don’t unavailability. overwrite the entire hard disk. There are wipers that will create a list of targeted files. Others PROPAGATION MECHANISM will list all files in specific folders. Some of them will only rewrite a certain amount of bytes A wiper is not only made of the destructive at the beginning of each file. They will overwrite module. In the latest incident, Olympic the file completely if the files are smaller than Destoryer, a wiper (see figure 1) was released in the form of wiper worms, performing self- © 2018 Cisco. All rights reserved. | [email protected] | talosintelligence.com page 3 of 11 replication and lateral movement inside the Figure 1. Timeline of Wiper attacks since 2012. networks. Replication modules usually are used in conjunction with credential-harvesting SHAMOON1 modules. The malware will harvest credentials Aug. 2012 from the system, which are then used to perform Targets: Refineries in KSA remote copy and execution of the wiper, hopping from system to system. The most popular way to do this remote execution is the usage of the DARK SEOUL psexec tool and the Windows Management March 2013 Instrumentation command-line utility (WMIC) Targets: Broadcast and — both legitimate administration mechanisms 2013 ATMs in South Korea present in the Windows operating system. The usage of legitimate tools and credentials makes it harder for the system administrators to detect the malicious activity in such a small time frame. It is important to keep in mind that the wipers will try to be as fast as they can on their 2014 destructive activity. Some of the worms also carry the code to exploit GUARDIANS OF PEACE vulnerabilities that allow remote code execution, Nov.2014 when all other means of propagation fail. Target: Sony PAST INCIDENTS 2015 TIMELINE BLACK ENERGY Nov. 2015 For the past eight to 10 years, whenever wipers Targets: have been used, there is almost always some ICS, Energy Sector in Ukraine kind of political connection that has been made by the media. 2016 This tendency is supported by the fact that there is no clear financial gain from the SHAMOON2 Nov. 2016 attackers, and there is a huge amount of Target: Refineries in Saudi capability lost following the wiper action. Arabia Our timeline (figure 1) shows that since 2012, WANNA CRY at least one big wiper attack has happened May 2017 2017 per year. A wiper usually has public visibility Targets: Worldwide attack and/or political motivations. But during some incidents, wipers have been used after NYETYA June 2017 data exfiltration to cover attacker’s tracks. The public disruption of services gives high Target: Ukreain generic ally, spread all over the world visibility to the attack, which is often the purpose.