Threat Analysis Unit

Threat Analysis Unit (TAU) Technical Report: The Prospect of Iranian Cyber Retaliation

Several different events in the Middle East (ME) region have escalated in the last several weeks between Iran and the United States.  After a series of  military operations between the two countries, several alerts were released from the U.S. government of a potential for cyberattacks.  

Traditionally there have been several high profile threat groups that have been suspected to have been backed by or acted on behalf of Iran.  Using the below image as a high level timeline we can see these Iranian threat groups have been active in cyber attacks for a considerable amount of time.  The recent tensions in the ME region have brought this threat to the forefront in the news. While the threat and capabilities of groups supporting Iran are very real, they have not just become active with the activity that has occurred recently.  From public reporting and internal research, many of these groups rely heavily on common tactics like spear phishing, brute force attacks, and internet facing systems with unpatched known vulnerabilities.    

Figure 1: Iranian Threat Group Timeline Overview

In the past week ,reports have surfaced of different attacks, where destructive malware have been used against victims in the Middle East.  Destructive malware is generally the coup de grâce, that follows a larger attack. From talking to IR partners in the region and from other published reports, this specific destructive malware has been used in conjunction with traditional lateral movement techniques.  Detecting and stopping the first stages of these types of attacks should continue to be the principal fundamentals that security practitioners refine in their organizations.  Focusing on spear phishing, user execution, credential dumping, and living off the land techniques will yield positive security returns that will help to combat numerous threat groups.

As a result of the recent increase in news coverage we would like to share a detailed analysis of common activity seen from Iranian threat actors, who have utilized this wiper.  Additionally, numerous customers and partners requested that we provide product specific detections.

The malware itself is a variant of a kernel driver loader, used extensively by the Turla group (Russian APT) as early as 2014.  The initial binary will create three files on the local system, which are embedded and encoded as resources.  The dropper will then create a service to run one of the files which is a legitimate VirtualBox driver file. 

This specific version is signed, but contains a known vulnerability (CVE-2008-3431) that allows the dropper to inject shellcode into the process, which will execute and load an unsigned driver which bypasses Microsoft’s driver signature execution protections.  This unsigned driver is a legitimate application that provides low level access to the disk and file system. The third file, which is the wiper, uses the raw disk driver to write junk data to different regions of the disk making the operating system crash and become unresponsive. 

Additionally some data originally present on the disk will be unrecoverable. The image below is an overview of how the files are dropped on the disk, and interact with each other as part of this attack.   


Figure 2: Overview of Wiper attack flow

Technical Details:

The following file was analyzed for this report.

File Name       : f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7

File Size       : 264,704 bytes

MD5             : 8afa8a59eebf43ef223be52e08fcdc67

SHA256          : f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7

Fuzzy           : 6144:h2+Z0A0chhA+AosUTvc2Y8Y7wyjo7m9nnnhNS:h2U0chhA7fUTE2Y8Y7LjJU

Compiled Time   : Sun Dec 29 05:57:19 2019 UTC

PE Sections (6) : Name       Size MD5

                  .text      23,040 66d7ac544a1f5b491352ad4f7e4cf031

                  .rdata     25,600 23eae969fe24828290656fe68826341c

                  .data      2,048 06cf554c8ba8c65b8a683ec9a0325251

                  .pdata     1,536 a4dc3a86ed1f2519242079767e6697c2

                  .rsrc      209,920 873a1305f4c1378dada4c66a8d0c2ee1

                  .reloc     1,536 f5545886ab6e4a1562a985fb37b66e8b

Table 1: Wiper metadata

This file is a variant of a Turla driver loader.  The loader will initially create the mutex “Down With Bin Salman,” an obvious reference to Crown Prince Mohammad Bin Salman and the regions being targeted.   


Figure 3: Mutex creation

The dropper will then determine the version number of the operating system, highlighted in red in the image below.  If the operating system is 6.x or above (which correlates to Windows Vista or newer), it will then create the two initial files on the system.  This activity is highlighted in blue below. It should be noted that all of the embedded files are stored in the binary as resources, which have been encoded using a one byte XOR key of 0x70.  The first file which is written to disk is the raw disk driver, which is decoded and created in the same directory that the dropper is running out of (highlighted in blue). This file will be saved to disk as elrawdsk.sys.  If this file creation operation is successful then the binary will begin creating the second file, which is a legitimate VirtualBox driver, highlighted in green below.


Figure 4: RawDisk driver creation

The dropper will then decode the second payload, highlighted in red in the image below.  The dropper will then use API calls to query the service manager to stop several VirtualBox related services, which is highlighted in green in Figure 5.  This is done specifically using the ControlService API with the SERVICE_CONTROL_STOP parameter.  The decoded payload is then written to disk as assistant.sys, in the same directory that the loader is running from.  The loader will then create a new service, named VBoxDrv (highlighted in blue).  


Figure 5: VBox Driver Creation

The file, assistant.sys, is a VirtualBox (vbox) driver that has a known vulnerability which ultimately allows an attacker to execute a shellcode payload under the context of the vbox driver.  The shellcode is embedded in the loader itself and injected, via the exploit, into the now running vbox driver. The shellcode will then load the elrawdsk.sys file, highlighted in red below. The technique of passing shellcode to this vulnerable driver has been well documented publicly in 2014.


Figure 6: Shellcode

The dropper will then decode the final payload, highlighted in red in the image below.  The file will be saved to disk as agent.exe, in the same directory from which the loader is running.  This file is the executable that performs the wiping of the drive, leveraging the raw disk driver.  


Figure 7: VBox Driver Creation

The dropper will then enumerate the drives on the local system, and check that the drive types are either fixed or removable, highlighted in blue.  For any drive that matches those types, the loader will create a process, using cmd.exe to execute the agent.exe file with the drive letter passed as an argument.  For example, if targeting the C: drive the agent.exe file would be executed in the following manner.

cmd.exe /c agent.exe C

Table 2: Wiper process creation command

The metadata for the payloads that the loaded extracts and writes to disk are listed in the table below.

File Name       : RCData103_decoded_elrawdsk_sys

File Size       : 24,576 bytes

MD5             : 993e9cb95301126debdea7dd66b9e121

SHA256          : 36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c

Fuzzy           : 384:9a5MM0mSc80J0sES5EGr7Btpqu1Ehc+PGhzgWdSLSbf/V+23HzirUJ2R8mf:9i3SAHOoz1a2clLST/zzixl

Compiled Time   : Sun Oct 14 07:43:19 2012 UTC

PE Sections (8) : Name       Size MD5

                  .text      2,048 f1586570bc3b13cf44177ed0aa450ce1

                  .rdata     2,048 ffb0f65059aa7db9f0c55362613de63b

                  .data      1,024 bce690b9958a1f2608e76792d965e7da

                  .pdata     512 39f4bdfd2585aae5f0f98dd1f2e03e9e

                  PAGE       12,800 268e57650e52bf91d5a3d220655e60b2

                  INIT       3,072 29d48a7744e57dad07324620f56af2a1

                  .rsrc      1,536 43a539179fa3f6a3f6ffcb2c57bf1d95

                  .reloc     512 0093f3067e3ee05090f18848d48ea070

File Name       : RCData1_decoded_assistant_sys

File Size       : 68,288 bytes

MD5             : eaea9ccb40c82af8f3867cd0f4dd5e9d

SHA256          : cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986

Fuzzy           : 768:mkD7TfQS7D8ueMKxp0pO/Qw+FKebe3vFQFftSJfghVotiTAlLwJidG:33d38uezp0Dw+49tKMgVxAlIiw

Compiled Time   : Sat May 31 02:18:53 2008 UTC

PE Sections (7) : Name       Size MD5

                  .text      34,176 4b04940d26665267e42db88ec868cdd9

                  .rdata     10,848 433d6fb8c2f3f28c4aea135fcf971e3e

                  .data      7,424 e180c606e433e1d25937e9a76c57467d

                  .pdata     3,328 3f62eff4073fe0d75533511bd0b09980

                  .edata     2,688 64c8958a650b57653700faba6d8498a5

                  INIT       1,600 e4dc926ea30b0bf7ef2cb442d7f3a32c

                  .reloc     320 7f7f212d17b850c84af7280334af4ac5

                + 0xef00     7,104 053496d7aaf38e7254168c45db174a73 (Authenticode Signature)

File Name       : RCData106_decoded_agent_exe

File Size       : 116,224 bytes

MD5             : f5f8160fe8468a77b6a495155c3dacea

SHA256          : 44100c73c6e2529c591a10cd3668691d92dc0241152ec82a72c6e63da299d3a2

Fuzzy           : 3072:VKMMWFhWGRGhZIzPic5RbQ9b4R1DcMxaiJe:AMZh1kUPiMMKR1DTJ

Compiled Time   : Sun Dec 29 05:56:27 2019 UTC

PE Sections (6) : Name       Size MD5

                  .text      65,024 d4295afb97256d94ae19e986f0ad6241

                  .rdata     39,936 50bb7471927210d3d8e34922f6847150

                  .data      3,072 4c592fa4e1d48f89277f80aa010b8c6c

                  .pdata     4,608 d457546482af93105ce2717a0422c9f1

                  .rsrc      512 29412b566252e86f11d2b70244750eb8

                  .reloc     2,048 f546ac3a4cceb621af2318eb7e2be625

Table 3: Dropped files’ metadata

The wiper itself ultimately leverages the loaded raw disk driver (elrawdsk.sys) to overwrite junk code to the MBR and other areas of the hard drive.  The image below shows the basic setup, where the wiper will open a handle to the logical drive via the driver. The license key that is visible has been referenced in previous analysis as well


Figure 8: Agent wiper functionality

For VMware Carbon Black product detections, click here.

Yara Rule

rule apt34_2020_Q1_Dustman : TAU IR wiper TDL

{

meta:

author = “CarbonBlack Threat Research” //JMyers

date = “2020-Jan-2”

description = “TDL dropper related to Dustman Wiper”

jira = “TR-4118”

rule_version = 1

yara_version = “3.11.0”

exemplar_hashes = “f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7”

strings:

$s1 = “VBoxDrv” wide

$s2 = “VBoxUSBMon” wide 

$s3 = “VBoxNetAdp” wide

$s4 = “VBoxNetLwf” wide

$s5 = “Software\\Oracle\\VirtualBox” wide

$s6 = “elrawdsk.sys” wide

$b1 = {3D B7 00 00 00} //compare error code

$b2 = {49 B9 70 70 70 70 70 70 70 70} //more XOR key

$b3 = {48 8B C4 41 54 48 81 EC 90} //shell code

$MZ = {3D 2A E0 70 73} //encoded MZ

condition:

4 of ($s*)

and 2 of ($b*)

and #MZ > 2

}