“Petya” - ”NotPetya” reverse analysis

Malware used for Massive Coordinated Cyber Invasion in Ukraine

Published: 29.06.2017 21:34 | Category: | Source: http://issp.ua

ISSP Labs discovered new evidence regarding massive attack in Ukraine on June 27, 2017. After reverse analysis of malware used in the recent wave of attacks in Ukraine ISSP Labs analysts discovered the following. 

 

This is the first example of the cyberweapon which simultaneously uses such instruments as mimikatz, PsExec, wmic, vulnerabilities SMB, MBR overwrite, logs cleanup, file encryption. We believe that discovery of such a cyber weapon will serve as a wake up call for those who didn’t believe that cyberspace becomes a real battlefield worldwide.

An integral part of malware’s functionality was to examine if three particular processes of antiviruses of Kaspersky, Norton Security and Symantec antiviruses were running and if yes – to stop. The assumption that malware developers could not bypass antivirus protection that corresponds to the above-mentioned processes does not seem credible.  The question is still open what goal did adversaries have to create such a functionality?

 

It could be the case that the processes with names revealed by our reverse analysis were used to leave back doors or Sleeper Agents (in ThreatSCALE™ terminology). Next generations of this cyber weapon may carry names of different processes for the same purpose.

 

We assume that adversaries pursued five main goals: 

- clean up stage of the previous APT attacks   

- demonstration of cyber power and training execution of Massive Coordinated Cyber Invasion (MCCI)

- testing new cyber weaponry and security capabilities, especially the speed of response and recovery

- Preparation to the next targeted cyberattack or MCCI

- training execution of MCCI in combination with other elements of hybrid war   

 

Link to the analysis here.

UPD. Explanation of changing the modes of operation of the sample depending on the privileges received and the running processes here 

 

Поиск по тегам:

NEXT STEPS

Send a request

NEWSLETTER SUBSCRIBTION

Enter a valid email address
that can be used to receive newsletters