It seems like there is a kit for everything these days. There are first aid kits, cooking kits, car repair kits, even applications such as web kits. What type of kit is out there for the World Wide Web? Do you even need a kit, and if so what should be in it?
Recently we hosted a group of journalists at the opening of our new Forensics Lab in Columbia, MD. In characterizing the state of cybersecurity, I told them that I think we are at a very important moment which we are going to look back on and realize this is when the public and private sector came together to begin to deal with the problem of cyber threats and attacks a different way.
A recent cyber-attack reported within the South Korean broadcasting and banking infrastructure reportedly brought down over 35,000 systems. This attack has drawn comparisons in intent and method to the recent wiping attack against Saudi Aramco by the Shamoon malware. Shamoon has been covered extensively by the community, and was covered in Fidelis Threat Advisory #1007. Naturally our curiosity was peaked and we acquired samples of the malware and started analysis.
The initial analysis has been posted on the Fidelis Threat Geek blog and will be expanded upon in this advisory. This write-up will focus on the wiper malware used and the recovery techniques that are possible.
From preliminary analysis it is known that the malware will overwrite the Master Boot Record (MBR) and Volume Boot Record (VBR). The records and files overwritten by the malware so far have been wiped with patterns of 'HASTATI' or 'PR!NCPES’.
The malware samples that have been analyzed by our team are different in code and function from the Shamoon malware. However, by using the same recovery methods found in advisory #1007 the files and data are indeed recoverable.
Yesterday brought news that a cyber attack caused widespread data destruction in the South Korean banking and media sectors. Researchers at General Dynamics Fidelis Cybersecurity Solutions obtained a copy of the malware involved in the attack and have some preliminary results to share. Our compliments to the talented folks at Alien Vault Labs, whose research on this subject can be viewed on their blog.
For purposes of our research, we’ll call this specimen “239ed75323.exe." It’s a malicious file capable of wiping data in disk drives. One of the areas it targets is the disk’s Master Boot Record (MBR), without which a computer cannot load its operating system. Multiple variants of this malware were observed in the community.
The malware writes a 512 bytes pattern to the disk. This pattern contains a repeating pattern of the word “HASTATI."
It was observed that the malware didn’t overwrite this pattern over the whole disk, so there is still data that can be recovered. We will release further information on a recovery process in an advisory to follow shortly.
The malware also tries to shut down security tools from the following two South Korean companies:
- AhnLab, Inc. (AhnLab Policy Agent process)
- HAURI Inc. (ViRobot ISMS process)
The file we examined has the following attributes:
At time of analysis, antivirus tools identified the file as follows:
Reversing the file revealed some of the following code responsible for writing the wiping pattern to the disk:
General Dynamics Fidelis Cybersecurity Solutions researchers detonated the malware in a controlled environment and confirmed it does indeed overwrite the disk with a repeating “HASTATI” pattern. The following will show the area in the VMDK disk before and after it was overwritten with the pattern:
First area at disk offset 0x3D0000 (location of MBR in virtual disk):
Second area at disk offset 0x3D7000 (location of VBR in virtual disk):
According to Wikipedia, the word “HASTATI” refers to “a class of infantry in the armies of the early Roman Republic who originally fought as spearmen, and later as swordsmen. They were originally some of the poorest men in the legion, and could afford only modest equipment, light amour and a large shield, in their service as the lighter infantry of the legion. Later, the Hastati contained the younger men rather than just the poorer, though most men of their age were relatively poor. Their usual position was the front battle line of the legion. They fought in a quincunx formation, supported by light troops.” J. Rickard, writing in a December 2002 article on HistoryOfWar.org, adds “the Hastati were expected to take the first clash of battle and blunt the enemy attack before the second line, the Principes took over and won the battle.”
The following are the two processes the malware tries to shutdown/kill:
Command executed: “taskkill /F /IM pasvc.exe”
Online research associates the “pasvc.exe” with a process from a company called AhnLab, Inc.
AhnLab, Inc. is a security software company in South Korea. The company sells antivirus software.
In specific, online research suggests that this process is associated with the AhnLab Policy Agent process.
Command executed: “taskkill /F /IM Clisvc.exe”
Online research associates the “Clisvc.exe” with a process from a company called HAURI Inc.
HAURI Inc. is a security software company in South Korea.
In specific, online research suggests that this process is associated with the HAURI Inc. ViRobot ISMS security tool.
Researchers from the General Dynamics Fidelis Cybersecurity Solutions Network Defense and Forensics and Threat Research teams continue to monitor and study this event. Results of our research into a process for recovering a system infected by this attack will be released shortly.