A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams are working on protection, detection, and response to these threats.
Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.
Although the extent of damage caused by this latest attack by TERBIUM is still unknown, Windows 10 customers have a set of features available for them to enable to mitigate such attack. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat; Windows Defender customers are protected through multiple signature-based detections; and Windows Defender Advanced Threat Protection (ATP) customers are provided extensive visibility and detection capabilities across the attack kill chain, enabling security operation teams to respond quickly. Microsoft’s analysis has shown that the components and techniques used by TERBIUM in this campaign trigger multiple detections and threat intelligence alerts in Windows Defender Advanced Threat Protection.
Microsoft Threat Intelligence has observed that the malware used by TERBIUM, dubbed “Depriz” by Microsoft, reuses several components and techniques seen in the 2012 attacks, and has been highly customized for each targeted organization.
We do not see any indicators that a zero-day exploit is being used by TERBIUM.
Step 1: Writing to disk
The initial infection vector TERBIUM uses is unknown. As credentials have been hard-coded in the malware TERBIUM uses, it is suspected that TERBIUM has harvested credentials or infiltrated the target organization previously. Once TERBIUM has a foothold in the organization, its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation. These components are encoded in the executables resources as fake bitmap images.
Figure 1. The components of the Trojan are fake bitmap images
We decoded the components as the following files:
- PKCS12 - a destructive disk wiper component
- PKCS7 - a communication module
- X509 - 64-bit variant of the Trojan/implant
Step 2: Propagation and persistence through the target network
We have seen TERBIUM use hardcoded credentials embedded in the malware to propagate within a local network. The availability of these credentials to the activity group suggests that the attacks are highly targeted at specific enterprises.
The propagation and persistence is carried out as follows:
- First, it tries to start the RemoteRegistry service on the computer it is trying to copy itself to, then uses RegConnectRegistryW to connect to it.
- Next, it attempts to disable UAC remote restrictions by setting the LocalAccountTokenFilterPolicy registry key value to “1”.
- Once this is done, it connects to the target computer and copies itself as %System%\ntssrvr32.exe or %System%\ntssrvr64.exe before setting either a remote service called “ntssv” or a scheduled task.
Step 3: Wiping the machine
Next, the Trojan installs the wiper component. Note: TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time: November 17, 2016 at 8:45 p.m.
The wiper component is installed as %System%\<random name>.exe. During our testing, it used the name “routeman.exe”, but static analysis shows it can use several other names that attempt to imitate file names of legitimate system tools.
The wiper component also contains encoded files in its resources as fake bitmap images.
The first encoded resource is a legitimate driver called RawDisk from the Eldos Corporation that allows a user mode component raw disk access. The driver is saved as %System%\drivers\drdisk.sys and installed by creating a service pointing to it using “sc create” and “sc start”. This behavior can be observed in the process tree available in the Windows Defender ATP portal. The below alert represents an example of the generic detections in Windows Defender ATP:
Figure 2. Windows Defender ATP alert: Depriz starting ephemeral service to load RawDisk driver "drdisk"
Figure 3. Windows Defender ATP event tree: Depriz Trojan dropping the wiper component (named “routeman” in this instance), which in turn drops the RawDisk driver “drdisk”
There are two interesting things worth noting about RawDisk:
- It requires a valid license key from Eldos Corporation to run. However, the license key included in Depriz is the same as the one used in the 2012 attacks – and this license key was only valid for a short period in 2012. TERBIUM works around this by changing the system time on targeted computers to a valid period in 2012.
- It is the same as the driver used in the 2012 attacks.
Figure 4. Depriz license key (the same as the one used in 2012 attacks) and its limited validity period
The wiper component uses an image file to overwrite files in locations listed in the following:
- Master Boot Records (MBR)
- Typical user folders like “Desktop”, “Downloads”, “Documents”, “Pictures”, “Videos” and “Music”
Microsoft is also aware of a second threat that uses a distinct wiping component. We detect this as Trojan:Win32/Cadlotcorg.A!dha in Defender and generic detections with Defender ATP. Microsoft is continuing to monitor for additional information on this threat.
Step 4: Rendering the machine unusable
Finally, the following command is used to reboot the system into the intended unusable state:
shutdown -r -f -t 2
When the computer attempts to restart after shutting down, it is unable to find the operating system because the MBR was overwritten in step 3. The machine will no longer boot properly.
Mitigation: Multiple layers of protection from Microsoft
Windows 10 protects, detects and responds to this threat. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat by restricting execution to trusted applications and kernel drivers.
Windows Defender Advanced Threat Protection (ATP), our post-breach security service, provides an additional layer of security to enterprise users. With threat intelligence indicators, generic detections, and machine learning models, Windows Defender ATP (trial link) provides extensive visibility and detection capabilities across the attack kill chain of threats like TERBIUM.
Appendix - Indicators of compromise
We discovered the following SHA1s in relation to TERBIUM:
SHA1 hashes for malicious files
SHA1 hashes for legitimate RawDisk drivers
Signature names for malicious files
Windows Defender Advanced Threat Protection Threat Intelligence Team