Blog - HUNTERS

Advisory: Malware Targeting Organizations in Ukraine - Threat Hunting Queries

Written by Team Axon | Mar 7, 2022 9:02:30 PM

In recent weeks, several Russian-sponsored APT activities have been reported attacking Ukrainian organizations. These have been widely published in the security community. Hunters has been keeping on top of these reports as they come in.

While the threats continue to be tracked by Hunters’ Team Axon, we are releasing several hunting queries that can be used to hunt for anomalies that are related to specific behaviors associated with WhisperGate, HermeticWiper, and HermeticRansom malware.

This blog post focuses on threat hunting methodologies for malware-related TTPs that were observed during these attacks that will help you discover whether there is a malware-related activity in your environment, as well as technical details of these malware. 

We highly recommend following the instructions in CISA’s advisory and hunting using the suggested queries below. 

Malware Overview

Of the several different attacks, we will focus on three specific malware types: WhisperGate, HemeticWiper, and HermeticRansom.

WhisperGate Malware

WhisperGate targeted non-profit organizations and governments in Ukraine with what initially appeared to be ransomware but was quickly revealed as data corrupting software. As of the time of publication of this post, the wiper reported targeting Windows machines located solely in Ukrainian territory. 




WhisperGate runs in a multistage approach, starting by corrupting the Master Boot Record (MBR) which will eventually prevent it from loading the operating system and displaying a fake message related to a ransom demand instead. The next stages include downloading the additional payload from the Discord External Attachment feature, and overwriting and destroying all the relevant data in the target machine.

HermeticWiper Malware

HermeticWiper is another type of wiper malware, aimed at slowing down the communications among the critical infrastructures in Ukraine by destroying files on infected Windows devices by corrupting specific elements of the connected harddisks. Unlike WhisperGate, which executed Win32 API calls, HermeticWiper abused a legitimate driver named EaseUS Partition Master in order to gain raw disk access and manipulate the target hard disk. 

HermeticRansom (Partyticket) Malware

The Russian activity brought with it more attacks that aren't necessarily linked to the Russian government but have been seen targeting Ukraine assets during the conflict. ‘HermeticRansom’ (AKA Partyticket) appears to be one of them. PartyTicket is a ransomware written in Golang and aims to encrypt files on the target machine. The malware contains references to U.S. systems with strings, likely a political taunt.

PartyTicket was poorly written with an inefficient encryption process, and wrong initialization of the encryption key which results in the ability to decrypt the malware encrypted files, which again raises a question on who originally wrote it.

Below you can see the timeline of the malware used to attack Ukraine in the latest cyber attack. 

Axon Threat Hunting Queries

Evasion - PowerShell Base64 Sleep Command

Upon communicating with a Discord server to download the 2nd stage, WhisperGate will sleep for a total of twenty seconds by executing a PowerShell command resulting in ten seconds' sleep, twice.

The following query looks for these encoded commands over Hunters' ‘EDR Process    Creation Schema'. Hunters normalize process creation logs from various products and store them in the 'EDR_PROCESS_CREATION_EVENTS' table.

SELECT EVENT_TIME,
              AGENT_ID,
              INITIATING_PROCESS_NAME,
              INITIATING_PROCESS_UID,
             TARGET_PROCESS_NAME,
             TARGET_PROCESS_PATH,
             TARGET_PROCESS_COMMANDLINE,
             TARGET_PROCESS_UID
FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS
WHERE DEVICE_PLATFORM='WINDOWS' AND
             LOWER(TARGET_PROCESS_NAME)= 'powershell.exe' AND
            -- powershell 'start-sleep -s 10' command
             LOWER(TARGET_PROCESS_COMMANDLINE) LIKE '%-enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA%' AND
             -- WhisperGate disclosed  on January 13, 2022
              EVENT_TIME > '2022-01-12 00:00:00'

Command and Control - Outbound Network Requests to Discord

WhisperGate uses the Discord external attachment service to download the malware's 2nd stage. Discord attachment service is known to be abused for malicious activity.

The following query aggregates processes that had network traffic to cdn.discordapp.com (which hosts Discord's attachment service) and provides statistics around them.

SELECT MAX(EVENT_TIME)                             EARLIEST_TIME,
              MIN(EVENT_TIME)                                       LATEST_TIME,
             COUNT(DISTINCT AGENT_ID)                   NUM_AIDS,
             ARRAY_AGG(DISTINCT AGENT_ID)          ARRAY_AIDS,
             ARRAY_AGG(DISTINCT REMOTE_IP)        ARRAY_REMOTE_IPs,
             INITIATING_PROCESS_NAME                    INITIATING_PROCESS_NAME,
             INITIATING_PROCESS_PATH                     INITIATING_PROCESS_PATH,
             INITIATING_PROCESS_COMMANDLINE INITIATING_PROCESS_COMMANDLINE,
             INITIATING_PROCESS_HASH_SHA256   INITIATING_PROCESS_HASH_SHA256,
      LOWERED_DOMAIN                                   LOWERED_DOMAIN
     FROM INVESTIGATION.EDR_NETWORK_EVENTS
WHERE DEVICE_PLATFORM='WINDOWS' AND
              LOWERED_DOMAIN='cdn.discordapp.com' AND
              -- excluding discord, browsers executables and network services
             NOT (LOWER(INITIATING_PROCESS_NAME) IN('discord.exe','chrome.exe','msedge.exe','firefox.exe','svchost.exe')) AND
              -- WhisperGate discoursed  on January 15, 2022
              EVENT_TIME > '2022-01-14 00:00:00'
GROUP BY DEVICE_PLATFORM, INITIATING_PROCESS_NAME, INITIATING_PROCESS_PATH, INITIATING_PROCESS_COMMANDLINE, INITIATING_PROCESS_HASH_SHA256, LOWERED_DOMAIN

 

Wiper Activity - File Corruption

WhisperGate's main goal is to destroy and corrupt the files on the disk. It achieves that by overwriting the start of each targeted file with 1MB of static data.

Once the file was corrupted, the wiper will append a random four-byte extension to the file name. For example: file.9876

The following query aggregates a large amount of renaming operations with four-byte extension over one-hour interval over Hunters' EDR File Events Schema. Hunters normalize EDR file events such as rename, deletion, and creation from various EDR products to the 'EDR_FILE_EVENTS' table. 

SELECT MAX(EVENT_TIME)                                               EARLIEST,
              MIN(EVENT_TIME)                                                  LATEST,
              AGENT_ID                                                               AGENT_ID,
              INITIATING_PROCESS_NAME                               INITIATING_PROCESS_NAME,
              INITIATING_PROCESS_UID                                   INITIATING_PROCESS_UID,
              INITIATING_PROCESS_HASH_SHA256,
              -- distinct count of target file changes
             COUNT(DISTINCT TARGET_FILE_NAME)              NUM_FILE_NAMES,
             ARRAY_AGG(DISTINCT TARGET_FILE_NAME)     TARGET_FILE_NAME,
             TARGET_FILE_EXTENSION
FROM INVESTIGATION.EDR_FILE_EVENTS
WHERE   TARGET_FILE_ACTION='rename' AND
                DEVICE_PLATFORM='WINDOWS' AND
                --  random four-byte extension
               LEN(TARGET_FILE_EXTENSION) = 4  AND
               -- WhisperGate disclosed  on January 13, 2022
               EVENT_TIME > '2022-01-12 00:00:00'
               -- aggregation by one hour interval and initiating process data
GROUP BY DATE_PART(HOUR, EVENT_TIME),AGENT_ID,TARGET_FILE_EXTENSION,INITIATING_PROCESS_NAME,INITIATING_PROCESS_UID,INITIATING_PROCESS_HASH_SHA256
               -- target count condition
HAVING NUM_FILE_NAMES > 400
ORDER BY NUM_FILE_NAMES

HermeticWiper

HermeticWiper Driver Installation.

HermeticWiper abuses legitimate driver of EaseUS Partition Master driver in order to gain direct raw disk access and to manipulate all relevant disks. The wiper stores four different driver architectures at one of its data sections and drops the relevant one, based on the target OS version and architecture, into system32\drivers directory named as 4 characters, randomly generated.

The following query will look for 4-character, randomly generated files with a ‘sys’ extension written to system32\drivers and has one of the 4 EaseUS driver versions' hashes.

-- HermeticWiper Driver Installation
SELECT EVENT_TIME,
              AGENT_ID,
              PARENT_PROCESS_NAME,
              INITIATING_PROCESS_NAME,
              INITIATING_PROCESS_PATH,
              INITIATING_PROCESS_COMMANDLINE,
              INITIATING_PROCESS_HASH_SHA256,
              TARGET_FILE_NAME,
              TARGET_FILE_PATH,
              TARGET_FILE_HASH_SHA256
FROM INVESTIGATION.EDR_FILE_EVENTS
WHERE  TARGET_FILE_ACTION='create' AND
               DEVICE_PLATFORM='WINDOWS' AND
               TARGET_FILE_EXTENSION='sys' AND
               -- driver is written with 4-bytes random name
               LEN(REGEXP_SUBSTR(TARGET_FILE_NAME, '([^/]*)[\.]', 1, 1, 'e',1)) = 4 AND
               -- driver is written to \system32\\Drivers directory
               TARGET_FILE_PATH ILIKE '%\\Windows\\system32\\Drivers\\%'  AND
               TARGET_FILE_HASH_SHA256 IN (
               -- Easeus  X64 architecture
              '96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84',
               -- Easeus  X84 architecture
               '8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b',
               -- Easeus  X64 XP architecture
               '23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4',
               -- Easeus X84 XP architecture
             '2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d')   AND
               -- HermeticWiper disclosed on February 23, 2022
               EVENT_TIME > '2022-02-22 00:00:00'

HermeticRansom

HermeticRansom performs an exclusive operation with its encryption process, which clones a unique executable for every encryption operation. The following query will look for HermeticRansom’s executable cloning process, which identifies multiple copy operations of randomly generated universally unique identifier (UUID) name binaries over a short time frame. 

SELECT MAX(EVENT_TIME)                                        EARLIEST,
              MIN(EVENT_TIME)                                          LATEST,
              AGENT_ID                                                       AGENT_ID,
              INITIATING_PROCESS_NAME                       INITIATING_PROCESS_NAME,
              INITIATING_PROCESS_UID                           INITIATING_PROCESS_UID,
              INITIATING_PROCESS_HASH_SHA256,
             COUNT(DISTINCT TARGET_PROCESS_COMMANDLINE) DC_TARGET_COMMANDLINE,
             ARRAY_AGG(DISTINCT TARGET_PROCESS_COMMANDLINE)   ARRAY_COMMANDLINE
FROM INVESTIGATION.EDR_PROCESS_CREATION_EVENTS
-- matching HermeticRansom child-processes copy commandline
WHERE REGEXP_LIKE(TARGET_PROCESS_COMMANDLINE, 'cmd \/c copy.*\b[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}\b.exe') AND
              DEVICE_PLATFORM='WINDOWS' AND
-- HermeticRansom disclosed on February 23, 2022
              EVENT_TIME > '2022-02-22 00:00:00'
GROUP BY MINUTE(EVENT_TIME), INITIATING_PROCESS_UID, INITIATING_PROCESS_NAME,AGENT_ID,INITIATING_PROCESS_HASH_SHA256
HAVING DC_TARGET_COMMANDLINE > 5

We hope you find these helpful. Subscribe to our blog to stay up-to-date with the latest research findings and rapid response campaigns by the Hunters team.