Digital Scorched Earth: Understanding APT-Driven Cyber Destruction

hi welcome to my talk digital scorched Earth understanding AP driven cyber destruction in this talk we will try to understand how and why nation state actors use wipers as a cyber weapon of war and we'll dive into our novel research about a super interesting of a recent campaign we discovered of an Iranian AP agonizing serpents targeting organizations in the Middle East to advance its geopolitical agenda I'm or Chik a principal security researcher from pal networks I love low low level research Windows internals reverse engineering Etc before we review the agenda for today I'd like to thank my colleagues Danielle and Assaf whom I work with on This research and the blog post they couldn't attend this conference but they

deserve the credit as much as I am so as for the agenda for this talk we will talk about wipers in general then we'll provide some brief history about the usage of wipers by AP groups then we'll discuss how wipers work and why and how threat actors use them as a digital weapons of mass destruction then we'll dive into our research of an ongoing aren AP campaign the targets organizations in the Middle East with wipers we'll show the attribution process the attack cycle as well as new ttps and finally discuss some key takeaways so let's begin with an introduction into wipers into what is actually a wiper so if you ask chpt he'll tell you

a wiper is a tool or device used for cleaning or wiping surfaces such as the windshield wipers for vehicles or cleaning wipes for household services so but now for real what is a wiper a wiper is a type of mar designed to cause destruction it is built to destroy data it also built to render infected systems unusable and some even use it to raise evidence of the malicious execution wiper defers from our ranser in that it aims to permanently destroy data without offering any means of recovery if you look at a typical wiper execution the wiper will iterate the user files corrupt them then it will corrupt the MBR and finally reboot the systems to the computer one boot

again and now let's overview some history about wipers used by nation state actors

so over the past 12 years and especially since the Inception of the conflict in Ukraine there have been numerous large scale cyber attacks where nation state actors used vipers as cyber weapon of war in this section we'll explore a few notable idd cases to grasp the impact such attacks can cause and examine how wipers serve as a poent Tools in cyber warfare and geopolitical conflicts we carefully selected a few cases that we believe will convey the message that you look at the point we'll start off with shimun and Iranian AP targeting Saudi Arabia then we'll discuss dark seol jakra which is a wiper used by North Korean AP Target in South Korea later we'll talk about the notorious pan not

a wiper used by Russian AP originally targeting Ukraine but due to its self-propagation capabilities became the most devastating M to date and lastly we'll talk about hermetic wiper a wiper used by the Russian a Russian AP targeting Ukraine amid the war of Ukraine and Russia as for eonic dis serpant the last one you see that's our research which is the which is the new and most interesting part of this talk it it will have its own section later on so shamun so shamun is actually one of the earliest instances of wiper used H by an IP group it it made its headlines around 2012 with its attacks on Saudi aramco which is the Saudi Arabia state-owned

National Oil Company in that attack shimun actually wiped around 30,000 systems it replaced the files with propaganda images then in 2016 it returned again and infected various organizations in the Persian Gulf including the Saudi Arabia General authority of civil aviation over the years it got better It upgraded its techniques started overwriting files with random data and using a third party drivers uh the driver it used was named Aldos rodis to override the MBR researchers attributed shamun to in a group called ap33 and it is believed the motivations behind the attack was geopolitical they wanted to inflict significant economic and reputational damage to Saudi Arabia now let's move to another example Dark Soul go in 20 13 computer networks of three

large banks in South Korea and two I think of the largest TV channel were shout down many citizens were in shark and were unable to withdraw money from ATA machines and watch their favorite TV channel the organizations were attacked by a wiper named chakra which ER corrupted the files on the infected systems and the MBR uh the attack itself happened during a heightened tensions between the North and South Korea with the history of North Korea engaging in cyber operations to advance its geopolitical agenda researchers found a lot of similarities between this attack and pevious attacks by a group named lazers Group which is a North Korean AP gr let's move to our next example I'm sure most of you recognize

this screen and what is the next example yes the notorious Pia not Pia so not Pia first emerg in 2017 masquerading as a ransom that means by fake Ransom it means that even if the ransom was paid there was no actually a way to recover the data so not pedia actually in targeted organizations in Ukraine when it started but due to the fact that using H the NSA exploit Eternal blue it quickly let it to spread globally um researchers found that the the patient zero for the attack was actually an update server for a popular Ukrainian accounting software known as the attackers breached that server and planted their software there as a watering hole to distribute their

mow as for technical analysis not Pia infected the MBR with its own boot kit that boot kit then encrypted the mft making the computer unable to boot and unable to access its files we'll talk more about MBR and MF on all those uh subjects later on when we'll talk about wiper techniques so this attack also happened amid heightened tensions between Ukraine and Russia and it appeared to be a politically motivated attack that many attribute to the Russian Gru and a state state sponsored actor named sandor and now we're going to we're getting to our last example hermetic wiper so hermetic Viper is another Russian example it was used just hours before the invasion of Russia a campaign

of this wiper targeted hundreds of systems in at least five Ukrainian organizations that wiper destroys the MBR of the infected system and as well as fft like nedia and other imported files using a a benign petition manager named Is Us manager so it actually uses a similar technique to shimun just using a different driver since the beginning of 2022 there have been 25 Viper attacks that been observed in Ukraine and most of those those attacks were attributed to Russia the AP sandworm so actually this was the last example um and now we kind of can understand the impact wipers can have and we will now delve into the motivation behind using a wiper as a

cyber weapon of War so as we understood wiers serve as important tool in the realm of cyber warfare and geopolitical conflicts wiers can cause real world consequences for individuals business businesses even governments and as we see there have been numerous large scale cyber attacks orated by nation state actors that and they use vipers as cyber weapon of War but why they do it so they actually do it to advance their geopolitical agenda in conflicts and they achieve it using many ways the they can do it by crippling adversaries capabilities they can do it by causing chaos by making computers not work they can do it by sowing fear and they can do it just to deliver

a political statement without even shooting a a a bullet or a rocket so do you think attribution to a specific nation state actor is actually important do we need to attribute um attack to to an AP so I think yes but especially when it comes to Nations like nations want to know if they got attacked and they want to know who is the responsible party H they they want to do it mainly because of politics they want to know so they could protect their National Security they want to to do it to deter future attacks and they want to maintain international relations however it's extremely difficult to do so um because there are actually many

tactics that nation state actors used to complicate attribution by researchers let's review a few of and known tactics that they use so a weer by itself is used to destroy evidence like by destroying hard disk logs files and even some cases they remove their own executable so if you want to make a hard disk forensics and attribution will'll need at least executable and logs so it makes attribution really difficult also nation state actors sometimes conduct false flag operations so what that means that it will they will leave misleading clues for the researchers so they will attribute that ATT to a different actor even a different Nation we actually uh found one of those tactics in our research in agonizing

serpents that they what has to actually think it's different Nation at all another tactic is using compromised infrastructure where the attacker actually use like a a proxy server or botnet or a server that just preached and the last example is using proxy groups where they're using a different group and let them instruct them to take the responsibility for that attack so as we Now understand the nature of wiper attacks coupled with tactics makes the attribution really difficult and now we finished with the History Section let's start with the technique section so we can actually understand the inner mechanics mechanics of wipers not only what they already did so let's start with first technique that is used by wipers which is file

Discovery so a wiper Begins by searching for files to destroy they do it by recursively iterating through the file system using Windows apis like find first file and find next file and they're actually implemented to do as much damage as possible without crushing the system so many of those wipers will Implement different ways so they could keep the stability of the system while they run they don't want to override anything that will cause the system to crash so what they do in order to avoid that they delay or skip or prioritize certain targets or files or paths so they won't do it if we look at the cut snippet on the right you can see an example of a

typical wiper that it's file Discovery function where it uses the windows apis find first file and find next file to recursively iterate through the file system directories and wipe files when it finds a path of a folder it calls the recursive function again but when it's folder it calls the wipe file function on that path so when you naively think of a a wipe function you don't see the implementation here but when you think about a function like this you think about a function that just deletes the file right however this approach might not be as effective as you might think f is not enough why is that because of the way file Edition works so if you want to learn a bit

about how fation Works let's look at the msdn documentation on the screen at the highlighted text so when files are deleted from an NTFS file system volume their mft entries are marked as free and may be reused however this space that has been allocated for those entries is not relocated and the size of the MF does not decrease so let's just explain what we just read then FS file system has a file called mft it's the master file file table it holds metadata for every file in the file system like where the data is stored and how big the data is so when the operating system deletes a file from disk the deletion will not be effective

because the data can still be uh recovered like the content itself is not touched the file is only marked as deleted in the MF itself in the table so let's say we have a wiper that wants to delete a file if it just deletes file the data can still be found you can search it on the hard disk by file curving techniques that are used in digital forensics and that is why also you might understand now that not Pia actually destroyed the MFD it didn't want people to access the files so with all that knowledge we can Now understand why we're going to uh look into the next technique file override so to make files

unrecoverable you need to override them before you delete them most wipers do the just that some of them overwrite just a few bytes and some of them overwrite the entire files and overwriting the entire files actually a very costly operation if we look at the cuts snippet on the right uh you see that the code overwrites the entire file by determining its file size using the wi API get file size it allocates memory of the same size is found and then overwrites the file using right file so actually right file is the most common way that wipers do it but it's not the only way there are more unique ways that you could do it for example we

have a wiper that is known by name d zero it's a wiper that was used against Ukraine and it was able to overrate files with zeros using an API called NTFS control file with the file system control code of set zero data by calling this API this swiper was able to instruct the file system driver to override the file Forum with zeros and now we're going to go into our next technique dis destruction many wipers make sure to override the MBR of the dis by the Android execution to make the computer not boot again they they do it to actually create chaos and disruption so the operational of the organization won't work again what is MBR so actually MBR is the

first section of the dis and it tells the OS how to boot the operating system if the MBR is destroyed the computer won't boot so if we look on the cut snippet on the right it's another H typical implementation used by many wipers to corrupt the MBR if you look it uses the create file W wi API with a parameter of physical Drive zero which is a way to ra raw access the first sector dis and then use right file to corrupt it another example is by using ioo it became really popular among wipers to use this technique because it could be more evasive against edrs and Security Solutions because the wiping itself is done by the

kernel the wiper will let the file system driver do the wiping for for for him by sending an ictal which is an input output control code which is basically an operation to tell the device driver to do something for you last example is third party drivers it all also a very effective approach that they use and it's very similar to the ioctl approach in just that the driver is not a Microsoft one it's actually a third party one and the reasons for using third party drivers is a lot similar to the icto in that a lot of Security Solutions will get bypassed by this technique because it happens by a driver another uh example is that

attackers really don't want to invest their own time into writing drivers that could crash M operation and could actually alert the security teams about a bridge another reason is that they'll have to sign their drivers because in modern Windows systems um you can't load an ansign driver so they would also need to bypass this this security mechanism so in both cases of ictal and third party drivers the attacker will communicate with the driver with usually device ey control with some sort of aoto that he found beforeand to instruct the driver to wipe the m are the next example we're going to look into is reboot and it is the last one we cover so to finish its execution the

weer will initiate a reboot the weer does that so he makes sure that the changes he made to the MBR will take effect immediately and will make the computer unable to boot so if you write a computer software that you corrupt the MBR just now it won't take effect until the computer is rebooted so we'll have to make sure that it happens so if you look at the cut Sniff and on the right it's another typical reboot function used by wipers where the wiper adjust it privileges to have the shutdown privilege and then he initiates the reboot using a wi API exit Windows ex so there are several methods that wiper can use to Reb the system but

the common Mars are described here anti- Rays OD error and terminating a critical process will cause the system Crush which will result in blue screen of death and ultimately a Reb boot exit Windows ex and initiate system shut down ex can initiate the system shutdown which then will cause a reboot so this was our last technique covered so do you think this knowledge that you just covered can be useful to Defenders so I think it is if you know that the way wiper Works researchers analysts can use this data to actually for threat hunting detection and prevention so let's have let's say you have this kind of data in in your hands driver load events and file events and wi API

events let's have some example that you could use them so let's say you use a driver load event so you'll add a rule where a bad driver was loaded let's say the one that shamun used elos risk if it was loaded it could be could be bad and it's a good indication another example would be a winp events let's say that someone opens a file handle to physical Drive zero and then it's called a re reboot API some of the ones I saw you earlier and let's look at the last example let's say you can actually understand that the program is using a file file create to open a lots of file with WR and it actually writes to a lot

of files then it uses an API to elevate it privileges to have the capability to shut down the system and then it initiates a reboot so all those are fine and all but you need to understand that when and when dealing with wipers it's preferable to actually have rules that will block but if you don't and there you have too many false positives then you got to have something so now we're getting into to the most interesting part of this talk agonizing serpents and some of you know this IP by its name of Sentinel one agus so we have investigated series of destructive cyber attacks and we were able to attribute the attacks to an

Iranian AP group we named agonizing serpents we were able to find novel wipers and tools that that the group used in their attacks and reveal that they recently started using new capabilities and techniques to attempt and bypass edrs we actually named the group after one of the wipers that we found BFG agonizer we're going to talk about this to soon so who is agonizing serpents um this group has been active since 2020 it is known for its wiper and fake Ransom attacks and it mainly attacks organizations in the Middle East in most of the recent attacks that we investigated they actually didn't request Ransom and the attacks were potentially just uh causing data loss for the

organizations and and operational disruption by wipers those attackers have two goals the first is stealing sensitive information which then they publish on social media and telegram channels and the other one is to wreck havoc and cause damage as many endpoints they could can they can get their hands on and for why they actually steal the data and uh and U do it is actually to solve fear and maybe cause a reputational damage to the organization or the nation they did it

to so this timeline outlines an attack from the beginning of October we found the menion attacks by looking at our Telemetry our first indication that led us to investigate those attacks were attempts to terminate a Security Solutions using vulnerable driver and looking into very suspicious web shells activity in our presentation we'll focus on the reconnaissance from the web Ser server on October 5th thata exfiltration exfiltration on the 7th th and data distraction on the eth our focus on this presentation is to present the attack cycle the attribution process rather than a regular technical analysis in those attacks in this specific one actually they managed to Traverse from the DMZ to the internal Network gain domain admin access and

compromised the DC in under 4 days which is exceptionally fast progression and now let's start with the reconnaissance that happened on the fifth the attackers gained access to this to the organization uh environment by exploiting uh the web servers they deployed multiple web shells which grant them h a foothold in the network as you can see in the web shells they contain kind of the same code is actually kind of identical and if you look at the left that's from a c one report and the right is ours a new one the only difference is the name of the function the web shs they use appear to be a variation of as exp spy let's r

youw another webshell that they used this one was named uploader ASP and they actually used it to upload their tools into the network and we found similarity in that code into a previous attack as well as you can see their code is almost identical as well now let's see some of the commands the group used so shortly after the attackers deployed the web shells they started to execute reconnaissance commands as well as upload their files into the server we can see using this child process relationship that the CMD the parent of the CMD is actually w3wp which is the process for I so let's see what tools they brought and how did they run them so they mainly brought a network

scanners and later wipers and tools for the destruction so they started mapping out the network using a lot of known and publicly available scanners they used NBT scan to scan the network for existing host and they use wi egg drop to scan a particular host as you can see in the pictures those scanners were also executed via the web show so in this point they actually were trying to figure out where they are and where where they can move inside the network one of the scanners were was actually a very interesting case it was an A Scanner named n scan and this particular scanner we think was a false flag int deployed by the scanner

to mislead us into believing the attack was originated from an Chinese AP if you look up the hash they used you will see it is mentioned inside the B Defender report for an AP called backd door diplomacy so this AP actually targets the Middle East and aligns with our Target which is also inside the Middle East we however were not full but dis misled and continued investigating and I will show how the attackers attempted to exilator data we found that they used a tool they wrote called SQL extractor which was was capable of dumping SQL databases into CSV files this tool received parameters such as the connection string the query the table the number of Records it then

written the the data when it was executed into a hardcoded path C Windows temp s and they used it to dump tables from the databases of the organization they attacked now let's look it's it's it's execution so if you look at the bottom picture here you look at the tool writing a bunch of CSV files each CSV file was a table extracted from the SQL server and if you look at the top picture you can see the SQL tool execution by the webshell and the actor actually preparing the stolen data for exfiltration later by a archiving The CSV files now we'll see how it actually send it off so they used WIP and PSP and if you look

a closer look you can see thater didn't care about exposing its passwords in clear text uh and now we'll move into the Data Destruction

phase so to execute the data and in in the evidence destruction phase they de deployed various wipers out of the all wipers they use three novel wipers stood out we discovered that those wipers were never been seen or published before they weren't on VT then and even if you search for them on V now you won't find them since those are all new we named them based on indicators such as pdb path and the name that tuer had already given the tools for example partial washer was a completely Custom Tool while BFG gizer seems to have its code taken from public repositories in this talk we would like to focus on multi-layer a net

wiper that we think have a lot of similarities with other tools used by the group those are similarities that we found greatly aided in attributing this seor we believe multiair is a new variant of apostle which is a wiper previously used by the same group so now let's take a look at mul similarities to the previous tools of agon agonizing serpents Apostle epis Helper and

fantasy so looking at the left you can see the self- delete function of multilayer and at the right you look at the self delete function of IPC Helper and apostal if you look at the function name the Prototype the patch full name the command line they are all the

same another similarity we found was inside the recursive directory listing code we can see multi list in the upper picture which is one of actually of multi layer's components as its name suggests it had two other components inside of it multi list and multi multi- Whip and its implementation with directory listing is very similar to the one we seen in a previous tool fantasy we can clearly see idential function names and variables the last example of similarity is actually inside the reboot function of multil we found a lot more examples but we thought three is enough so you will get the point we can see multier uh implementation the upper picture and apostal at the bottom

one the implementation is nearly the Same by the name of the function and the usage of of overated strings by apostle so actually all the wipers in this specific attack were blocked and the actor tried to bypass those Security Solutions we found that they used those anti- EDR techniques for the first time but actually adding a brand new of techniques into their Arsenal they specifically targeted they install edrs for several days using various different techniques but it didn't succeed each attempt made more sense in the last one and it shows that this actor had troubleshooting skills and vast resources and research time when they failed they tried something else and they didn't gave up this show is a very motivated and

persistent attacker so on the first day they attempted to manipulate the service auto start functionality to prevent it from starting they failed on the second day the tended to termin the ADR by using a vulnerable driver Jer with gmer is the anti-ro cool developed to remove root kits from endpoints but is commonly abused by attackers to terminate EDR processes they created a tool named drv that receives the target process speed for termination using command line the tool started by loading gmer into the kernel then sent the PED to the driver using device ey control which is an API used to communicate with device drivers and then the Jimma driver terminates the target feed via ZW

terminate process API which is a carel API if you look at the top picture we can see the tool communicating with the driver using device eye control it specified the p as the input buffer and specifi the ictal is the second argument on the bottom picture you can see the yo er uh implementation in the driver itself of gimmer where the gimmer driver is taking the P out of the buffer sent by the the user mode component and sending it sending it to the termination uh function it has in the same driver a day later they made Improvement to the tool because they failed again and this time they replaced the tool um they replac the vulnerable

driver with a new one and they overated the tool itself if we look at the top picture we can see the tool again communicating with the new driver using device ey control and the driver at the bottom picture taking the PED out of the buffer sent to him so at the time the PFC was very new it's been G up only for two weeks now let's W up to see all the points we use to attribute this actor so we believe with high level of confidence that the the attacks mentioned are by the Iranian AP eonic serpents the multi layer wiper shows multiple code similarities and similar naming convention to previously tools used by the

group and the attacker used webshell variant that had the same code except for variable and function names that they replaced for each time they used it and the final step of the attacks in all those attacks had like a Scorch Earth policy where they used wipers to render the all the endpoints they had unusable and just cover their tracks and about the victims all the victims were from Middle East organizations and now we almost reached the end of our talk so I would like to leave you with some key takeaways the first takeway is that as we've seen there were numerous large scale cyber attacks that were orchestrated by nation state actors they used wipers to advance their

agenda in geopolitical conflicts in a digital way they didn't shoot a single bullet or or a rocket only digital and the second is that in cases of wiper or ransomware attacks we understood that EDR logs can be very helpful in those cases because logs and evidence are very limited in our investigation we were able to reconstruct the entire timeline using Ed logs that were uploaded to the cloud and a previous team that worked on this on this case that didn't use the out logs didn't get this far at all the third takeaway is about having a security hygiene and best practices and those could actually prevent some of those attacks organizations should always outd there their servers they should

Implement segmentation so it seems obvious but organizations don't do it they actually don't you should deploy Security Solutions on all your endpoints and have backups as well as recovery plan in case everything else fails so the last takeaway is actually about what we saw about agonizing serpents we were able to identify three novel wipers and a custom ex filtration tool and we saw that the group have been stepping up their game and we've been investing resources into bypassing Security Solutions throughout all their operations so thanks everyone for attending my talk if You' like to read more about tic serpents you can check it out on our blog on unit 42 for palto networks and if everyone if anyone has

questions and we have like one minute you can just uh ask [Applause] away

we have space for one or two

questions

want which uh Cod spp you mean the one it's actually a code you mean the the wiper techniques part no no the end wi uh you mean for multier yes so we we had a code like we were able to get the executables uh by working with the organizations and um we actually um got some logs and we were able to get hashes but the the hashes themselves were uploaded to a a product we have called Wildfire which is a a firewall for p p networks and the samples were saved there they weren't on the endpoints anymore they were removed by the attacker but we were able to get them because they were uploaded to the

firewall okay thank you [Music] everyone