The wiper is one of the more damaging malwares whose purpose is to wipe the computer’s hard drive, when it attacks.
The first instances of the wiper malware originated in the Middle East when it was used to attack Iranian oil companies in 2012. Later a hard drive was given to Kaspersky lab by the international telecommunication union to analyse the malware, however they could not find any trace of samples of the wiper. Instead, they found a separate piece of malware called Flame. Later in 2013, the Lazarus cybercrime group used wiper in a South Korean cyberattack. But this malware did not come under the spotlight until 2014, when several high-profile companies, such as Sony picture were paralysed by it.
How it works:
A Wiper Malware Attack involves wiping, overwriting, or removing data from the victim’s computer. Unlike other malware types, the wiper’s motive is to disrupt or destroy data causing brand damage or reputation damage.
In some cases, wiper malware has been known to cover the tracks of data theft. As malware travels within the network, it will infect the computer it moves into.
Threat actors use various techniques to set off the wiper malware. The malware has 3 attack vectors:
- Targeting files or data.
- System and data backups.
- System boot of an operating system.
Propagation of Malware:
Wiper malware is generally propagated by various techniques like spooler and link exploits, software updates from third parties, bash wiper script, stolen credentials, Eternal Blue/Mimikatz and Domain admin privileges. Once the malware enters the computer, it attaches itself to different files & overwrites the data.
Stage 1: overwrite MBR
The malware can reside on various working directories, like C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is regularly named stage1.exe. This can be executed by means of impacket, an openly accessible capacity frequently utilised by the threat actors for lateral movement and execution.
The malware overwrites the Master Boot Record (MBR) on victim’s device with a ransom note. The MBR is the part of a hard drive that advises the PC how to load the operating system. The malware will be executed when the device is shut down.
Stage 2: Downloader
This is written in .NET, the main purpose of this is to download the third stage of malware and execute it. It uses the PowerShell command.
Stage3: File corrupter
It downloads the following stage malware facilitated on the discord channel, with download interface hardcoded in the downloader. When executed in the memory, the corrupter locates files in specific directories on the system. The corrupter overwrites the content of the files with a fixed number of 0xCCbytes. When the overwriting is done, the destructor renames the files with an apparently random 4-byte extension. The malware focuses on the local hard drives, mounted network shares, attached USB drives and corrupts them. Subsequently, the windows device become inoperable.
Examples of Wiper Variants:
Some real-world examples of the wiper variants that caused serious impacts around the globe.
- Shamon: attacked Saudi Aramco and various other Middle Eastern oil companies between 2012 and 2016. The malware infiltrated personal computers and destroyed over 30,000 hard drives using a direct drive access driver called RawDisk.
- Meteor: This variant caused extreme disruptions and chaos for Iran’s train services when it first surfaced in July 2021.
- NotPetya: Discovered in 2017 and caused approx. $10 billion in damages to multinational companies.
- ZeroCleare: Discovered in 2019, attacked various energy companies across Middle East.
- Whispergate: The newest strain of the wiper malware that exacted targeted attacks against the Ukrainian Government in January 2022. The attack defaced various website domains owned by Ukrainian Government.
Remediation:
- Use the IOCs to investigate whether they exist in your environment and assess for potential intrusion.
- Block the threat indicators at their respective controls.
- Ensure that the devices are updated with the latest security patches.
- Enforce MFA for VPN clients.
- Set PowerShell execution policy to execute only signed scripts.
- Recommend that remote services are allowed only through VPN tunnels.
- Enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
References: