Hermetic Wiper Infographic

Transcript

1. @F
   rØgger_
   Thomas Roccia
   Overview of HermeticWiper
   Initial entry point and deployment
   Exchange Server
   Compromised Tomcat Exploit PowerShell for post
   compromission
   Conhosts.exe
   (Wiper Loader)
   Name: Hermetica Digital Ltd
   :Status: Valid
   Issuer: DigiCert EV Code Signing CA (SHA2)
   Valid From: 12:00 AM 04/13/2021
   Valid To: 11:59 PM 04/14/2022
   Valid Usage: Code Signing
   Algorithm: sha256RSA
   Thumbprint: 1AE7556DFACD47D9EFBE79BE974661A5A6D6D923
   Serial Number: 0C48732873AC8CCEBAF8F0E1E8329CEC
   Certificate
   MBR and Partition corruptions
   Bytes overwriting
   Anti-forensic
   Check OS Architecture and drop the resource
   accordingly
   RCDATA Resource MS compress: “empntdrv.sys“
   • DRV_X64: Windows 7+ 6’ bits
   • DRV-X86: Windows 7+ 32 bits
   • DRV_XP_X64: Windows XP 64 bits
   • DRV_XP_X86: Windows XP 32 bits
   Disable VSS Service if enabled
   Webshell
   • Set Registry key SYSTEM\\CurrentControlSet\\Control\CrashControl\
   CrashDumpEnabled = 0 to avoid that no file are written when the
   system terminates abnormally.
   • Delete the service registry key previously created to run the driver:
   SYSTEM\CurrentControlSet\\Services\
   • Disables ShowCompColor and ShowInfoTip in all HKEY_USERS
   registry:
   SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   ShowCompColor = 0
   ShowInfoTip = 0
   Drop the driver into C:\Windows\system32\Drivers\dr.sys
   Load the driver using SeLoadDriverPrivilege
   Run the driver as a service using API OpenSCManagerW(), OpenServiceW(),
   CreateServiceW() and StartServiceW()
   • Creates named pipe \\\\.\\EPMNTDRV\\%u for driver com
   • Get handle from the function DeviceIoControl with IoControlCode
   0x560000 (IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS) to get
   the device number.
   $LOGFILE log file containing all actions performed on the volume.
   $I30 Windows NTFS Index Attribute
   $ATTRIBUTE_LIST Lists the location of all attribute records that do not fit in
   the MFT record
   $EA Extended the attribute index
   $EA_INFORMATION Extended attribute information
   $SECURITY_DESCRIPTOR Security descriptor stores ACL and SIDs
   $DATA Contains the default file data
   $INDEX_ROOT Used to support folders and other indexes
   $INDEX_ALLOCATION The type name for a Directory Stream. A string for the
   attribute code for index allocation
   $BITMAP A bitmap index for a large directory.
   $REPARSE_POINT Used for volume mount points
   $LOGGED_UTILITY_STREAM Use by the encrypting file system
   IMPACT
   Enumerates Windows files, Event Logs and Windows
   Restaure Points
   • “My Documents”, “Desktop”, “AppData”
   • "\\\\?\\C:\\Windows\\System32\\winevt\\Logs")
   • "C:\System Volume Information"
   EaseUS driver
   Get privileges:
   • SeShutdownPrivilege
   • SeBackupPrivilege
   • SeLoadDriverPrivilege
   Get MFT and NTFS Attributes
   Sample Analyzed:
   SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
   External Sources:
   https://gist.github.com/fr0gger/7882fde2b1b271f9e886a4a9b6fb6b7f
   Deployment via GPO
   Rev: Version 2
   

   View Slide