Microsoft reported evidence of destructive malware targeting organizations in Ukraine starting from January 13 [1]. The LIFARS threat intelligence team have analyzed the malicious samples and provided a detailed analysis of the execution flow. The main objective of this technical brief is to reveal the sophisticated TTPs demonstrated by threat actors.
Stage 1
SHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
We have determined that the wiper has implemented two TLS (thread local storage) callbacks. These callbacks allow the malicious file to execute code before the actual entry point:
Figure 1
The binary replaces the top-level exception handler using the SetUnhandledExceptionFilter API:
Figure 2
The process retrieves a handle to the MBR (Master Boot Record) by calling the CreateFileW function (0x10000000 = GENERIC_ALL, 0x3 = FILE_SHARE_READ | FILE_SHARE_WRITE, 0x3 = OPEN_EXISTING):
Figure 3
The MBR is overwritten with a buffer that contains the ransom note and a shellcode that will be used to print it. The shellcode also performs other destructive actions that will be explained:
Figure 4
The malware prints the ransom note on the screen after rebooting using the “INT 16” BIOS interrupt call. Each character is moved to the AL register and then printed. The shellcode is displayed in the figure below (16-bit):
Figure 5
The binary doesn’t reboot the machine after the MBR is overwritten. After a manual reboot, the victim is presented with the following message:
Figure 6
The buffer written above contains a Disk Address Packet Structure, and the general format of such structure is presented in [2]:
Figure 7
The malware needs to set the following values in order to write to a disk:
- Set AH = 0x43 (EXTENDED WRITE)
- Set DL = 0x80 (C drive)
- Set SI = 0x7C72 – offset to Disk Address Packet Structure
- Set transfer buffer 16-bit offset = 0x7C82 – offset to “AAAAA”
- Set transfer buffer 16-bit segment = CS – the code segment selector
The shellcode uses the “INT 0x13” interrupt call in LBA (logical block addressing) mode and performs the writing operations:
Figure 8
If the above operation is successful, the code adds 199 to the LBA and continues until the end of the disk is reached. Otherwise, the Drive index is increased by 1, and the malware tries to access the next disk.
Stage 2
SHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
The file is a .NET malware that spawns two PowerShell processes used to sleep for 20 seconds:
Figure 9
It downloads the 3rd stage disguised as a JPG image from the Discord app:
Figure 10
The Ukrainian authorities blamed Russia for attacks in the context of the geopolitical tensions. LIFARS Threat Intelligence Team believes that there is a high possibility to see more wiper and ransomware attacks against Ukrainian institutions soon.
References:
[2] https://wiki.osdev.org/Disk_access_using_the_BIOS_(INT_13h)
