Developing Threat Updates: MuddyWater, HermeticWiper and Cyclops Target Ukraine Amid Crisis

By Securonix Threat Research team

Securonix Threat Labs has been continuously monitoring threats targeting and leveraging the crisis in Ukraine in recent weeks and seen a significant increase in cyberthreats. MuddyWater, HermeticWiper and SandWorm are actively being used to launch cyberattacks, including DDoS attacks targeting financial institutions, cyber espionage campaigns and infrastructure.

We provide guidance for detecting attacks by advanced persistent threats in this update. Of note are the top three data sources swept against on Autonomous Threat Sweeper that include antivirus/malware/EDR, cloud antivirus/malware, and endpoint management systems. For a full list of IOCs, search queries on Securonix SNYPR used on to detect MuddyWater, HermeticWiper, Cyclops Blink, malware, please refer to our updated Github page.

MuddyWater Targets Organizations Worldwide

(Originally Published on: February 24, 2022)

Authorities from US and UK have released a detailed advisory about the recent cyber espionage campaign of MuddyWater which is allegedly state sponsored by Iran and works in the interests of MOIS. In this current campaign they have been mainly targeting government and private organizations from industries including telecom, defense, oil and gas located in Asia, Africa, Europe, and North America. This time they have come up with a variety of malwares ranging from PowGoop, Small Sieve, Mori and POWERSTATS and they have used their most preferred threat vector which is spear phishing campaigns in which they wheedle their targeted victim into downloading ZIP files, containing either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file to the victim’s network.

Threat Labs Summary:

● New Python backdoor dubbed Small Sieve got highlighted more as it can avoid detection by using custom string and traffic obfuscation schemes together with the Telegram Bot application programming interface (API).

● Use of a single byte XOR to encrypt communications with the key 0x02 to adversary-controlled infrastructure.

● PowGoop malware was used as the main loader in malicious operations which consisted of a DLL loader and a PowerShell-based downloader.

● Canopy/Starwhale malware was distributed through spear phishing campaign with malicious attachments

● Threat actors used the Mori backdoor which uses domain name system (DNS) tunneling to communicate with the group’s C2 infrastructure.

● The POWERSTATS backdoor was used to run PowerShell scripts to maintain persistent access to the victim systems.

● 29 IOCs are available on Github and have been automatically swept against for Securonix Autonomous Threat Sweeper customers.

● TTPs related to MuddyWater include but are not limited to the following:

o Monitor for the following rare processes being executed:

gram_app.exe, index.ex

o Monitor for the following rare files / DLLs being created:

Cooperation terms.xls, FML.dll, MicrosoftWindowsOutlookDataPlus.txt

o Monitor for persistence with any modifications to the current user startup folder

file path contains WindowsStart MenuProgramsStartup

o Monitor for rare registry modifications:

HKCUSoftwareMicrosoftWindowsCurrentVersionRunOutlookMicrosoft

Tags: Adversary: MuddyWater, Static Kitten | Target Industries: Government, Telecom, Oil & Gas, Defense | Target Continents: Asia, Europe, NorthAmerica, Africa | Malware: PowGoop,Small Sieve, Mori and POWERSTATS

HermeticWiper Malware Targets Ukraine

(Originally Published on: February 23, 2022)

On the evening of February 23, 2022, the State Service of Special Communication and Information Protection of Ukraine declared that a number of government and banking institutions had undergone a massive DDoS attack. Soon after this announcement, the ESET Research team discovered a new data wiper malware (Win32/KillDisk.NCV) that attacked the Ukraine-wide computer network with the objective of destroying data and causing business disruption. The initial analysis of data wiper malware suggests that it is an executable file signed with a likely stolen certificate issued to Cyprus based company Hermetica Digital Ltd. Hence, the researchers named malware as ‘HermeticWiper’.

Threat Labs Summary:

● Upon execution, HermeticWiper enables process token privileges, which gives read access control to any file.

● It checks and verifies the operating system architecture, then drops the copy of the EaseUS Partition Manager driver accordingly.

● Again enables the process token privileges to load and unload device drivers.

● Disables crash dumps, volume shadow services (vss).

● It corrupts all master boot records (MBR) for every physical drive present in the system, and also corrupts all the available partitions including NTFS and FAT file systems.

● 58 IOCs are available on Github and have been automatically swept against for Securonix Autonomous Threat Sweeper customers. As this is a developing threat, the Autonomous Threat Sweeper will be sweeping additional IoCs.

● TTPs related to HemeticWiper include but are not limited to the following:

o Monitor for registry key changes to disable crashdumps (CrashDumpEnabled = 0) from the path “HKLMSYSTEMCurrentControlSetControlCrashControl”

o Monitor for rare registry key changes to disable “ShowCompColor”, “ShowInfoTip” from the path “SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced”

o Monitor for rare privilege escalation attempts related to the following privileges (SeShutDownPrivilege,SeBackupPrivilege,SeLoadDriverPrivilege)

o Monitor for rare commands executed to identify the operating system version ( i.e. command line contains VerSetConditionMask; VerifyVersionInfoW)

o Monitor for rare processes spawned from command prompts such as “expand.exe”

o Monitor for rare sys files created on system folders (Eg: %WINDIR%system32driverdr.sys)

Tags: Malware Family: Disk-wiping | Target Industries: Government, Financial Organizations, Aviation, IT services | Target Countries: Ukraine, Latvia, Lithuania

Sandworm From Russia Uses Cyclops Blink Malware

(Originally Published on: February 23, 2022)

Authorities from US and UK have come across a new strain of malware dubbed as Cyclops Blink which is said to be a replacement of a very infamous malware called VPNFilter which created havoc by infecting half a million routers a few years back. This malware has been attributed to a famous APT group called Sandworm who is formally connected to Russia’s GRU unit and was associated with a major power outage in Ukraine in 2015. Cyclops Blink has been deployed since 2019 and has already been infecting the WatchGuard Firebox manufactured by Seattle based firm WatchGuard and possibly infecting SOHO routers too.

Threat Labs Summary:

● Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big endian) architecture.

● It is generally deployed as part of a firmware update which achieves persistence when the device is rebooted and makes remediation harder.

● 1% of active WatchGuard firewall appliances have been affected until now.

● Sandworm has the capability to create a huge set of botnets from these firewall devices.

● 37 IOCs are available on Github and have been automatically swept against for Securonix Autonomous Threat Sweeper customers.

● TTPs related to Cyclops Blink include but are not limited to the following:

o Cyclops Blink executes downloaded files using the Linux API function execlp.

Monitor rare command line parameters for the process “kworker” with the command line “/proc/self/exe”

o Cyclops blink communicates over non-standard ports on HTTP and HTTPS protocols

Monitor for C2 communication on HTTP and HTTPS protocols for non-standard ports

o Cyclops Blink is capable of uploading files to a C2 server.

Monitor for exfiltration to C2 server over covert channels such as SSH, TELNET, RDP, DNS

Tags: Adversary: SandWorm, VoodooBear | Target Industries and Products: Energy, WatchGuard Firewall, Routers| Target Countries: Ukraine, Georgia

Please refer to our Github page that is updated daily. We also invite you to send your questions regarding critical security advisories to the Securonix Critical Intelligence Advisory team and look forward to being of assistance.