Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Rise of Destructive Malware - CORIIN 2019

The Rise of Destructive Malware - CORIIN 2019

Destructive malware are on the rise since some years. Shamoon, Wannacry, NotPetya, Mirai, Olympic Destroyer and many others, all did the headlines in the media. By attacking corporate network and destroying sensitive data, they cause damages to companies that can be very hard to fix or to solve. When such attacks occur in critical infrastructures, the damage can be way worst and can impact all of a population as we saw with the malware Crash Override that took down Ukrainian power grids.

Some malware are specially created for destruction, other are ransomware masqueraded, some other are designed for DDOS attack. Malicious actors can also use destructive malware to protest or for terrorism without financial motivation.
With the rise of such malware that can take down a whole company it becomes urgently to understand the threat and take the right decisions to protect our data.

How works such malware? What are the difference between them? What are the real goals of such threats?

In this talk, we are going to talk about malware that encrypt, erase or destroy data specially created for sabotage and destruction. With a deep dive analysis, we will show the behind scene of destructive malware and propose a classification. We will also make a return of experience about dealing with such malware on the field. Finally, we will make some gambling to predict the future of such threat as well the trends.


Thomas Roccia

January 29, 2019


  1. The Rise of Destructive Malware Modern Bombs Used in Cyberattack

    Thomas ROCCIA Security Researcher, Advanced Threat Research
  2. 2 CORIIN – Thomas Roccia – 2019 Whoami Thomas ROCCIA

    Security Researcher, Advanced Threat Research http://troccia.tdgt.org @fr0gger_ Maker, Speaker Whatever…
  3. 3 CORIIN – Thomas Roccia – 2019 $300 Millions

  4. 4 CORIIN – Thomas Roccia – 2019 What is a

    Destructive Malware? Destructive malware has the ability to destroy data, systems, to put out of service or to have a physical impact through digital actions. Some are associated with propagation capabilities making the threat more destructive.
  5. 5 CORIIN – Thomas Roccia – 2019 Jerusalem Virus Infected

    every exe 1974 Rabbit Virus Fork Bomb 1987 1991 1998 2003 Early Destructive Malware Michelangelo Virus Boot Sector Virus Slammer Worm DOS Attack CIH Virus Erased flash ROM BIOS
  6. 6 CORIIN – Thomas Roccia – 2019 OlympicDestroyer Olympic Game

    Attack VPNFILTER Router Malware 2012 SHAMOON Wiper 2014 2016 2017 2018 Recent Destructive Attack INDUSTROYER Ukrainian Power Grid MIRAI Largest DDOS Attack NotPetya Pseudo Ransomware TRITON First SIS Malware DESTOVER Sony Hack Shamoon v3 Wiper
  7. 7 CORIIN – Thomas Roccia – 2019 MIRAI: The Largest

    DDOS Botnet Mirai was designed for DDOS attack Mirai is responsible of the largest ddos attack in 2016 on Brian Krebs website (660 GBps of traffic) BotMaster Customer C&C DDOS for Hire IOT Botnet Scanning weak IOT devices DDOS Victim
  8. 8 CORIIN – Thomas Roccia – 2019 NotPetya: The Pseudo

    Ransomware NotPetya was designed for IT destruction PSEUDO-RANSOMWARE IS A DESTRUCTIVE ATTACK DISGUISED AS RANSOMWARE EITHER TO TAKE DOWN COMPANIES OR TO KEEP THE IT-DEPARTMENT BUSY. -- CHRISTIAAN BEEK, LEAD SCIENTIST MCAFEE Cerber Locky Wannacry Petya 2016 NotPetya Number of File Types 187 381 176 228 65 Number of Encrypted files 1. Supply chain attack 2. Propagation (exploit, credentials) 3. Encrypts files and erases MBR
  9. 9 CORIIN – Thomas Roccia – 2019 TRITON: The First

    SIS Malware Triton was designed to target systems that protect human life Customer Network IT DCS/ICS TRITON SIS Controllers SIS Engineering Workstation Physical Process TRITON Launch Cyberattack? Trilog.exe Tristation Protocol UDP 1502 An essential danger in this threat is that it moves from mere digital damage to risking human lives.
  10. 10 CORIIN – Thomas Roccia – 2019 OlympicDestroyer: « Citius,

    Altius, Fortius » OlympicDestroyer was designed for disruption Deletes all the Shadow Copies Deletes the backups catalog No repair possible from recovery console Deletes System and Security event logs
  11. 11 CORIIN – Thomas Roccia – 2019 VPNFilter: TimeBomb VPNFilter

    targets networking devices It has the ability to perform intelligence collection and destructive attack VPNFilter has the ability to act as a bomb VPNFilter TimeBomb Data Collection Espionage Distributed Proxy Network Overwrites the first 5000 bytes of /dev/mtdblock0 with zeros • Sniff traffic • MITM • Deliver Exploits • Tor • DDOS • Redirect Traffic
  12. 12 CORIIN – Thomas Roccia – 2019 Shamoon V3: Back

    to the Future Shamoon was designed for destruction and ideology Shamoon Wiper first appears in 2012, back in 2016 then in 2018 • Uses the raw disk driver • Overwrite every files Another .Net wiper has been discovered • Change creation, write, and access date and time to 01/01/3000 at 12:01:01 for each files • Overwrite 2 times each files sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul
  13. 13 CORIIN – Thomas Roccia – 2019 Destructive Techniques Wiper

    •Sdelete.exe •Overwriting files •Deletes MBR 1 Encryption •Rewrites MBR •Encrypts Data •Encrypts System 2 Anti-forensic •Removes Event Logs •Deletes backups •Disables services 3 4 DoS •Botnets/Exploits •Advanced persistent DoS •DDoS 5 Often designed with spreading techniques Highly targeted for critical infrastructures Usually DDOS for Hire Physical Impact Modify internal behavior Uses exploits Sabotage or Destruction To be more efficient, they rarely overwrite the entire hard disk.
  14. 14 CORIIN – Thomas Roccia – 2019 Propagation Mechanisms •

    Some destructive malware need to be as fast as possible Usage of legitimate tools make it harder to detect Replication and Lateral Movements Credential Harvesting Exploit • Psexec, Wmic… • Mimikatz
  15. 15 CORIIN – Thomas Roccia – 2019 Classification Destructive Botnet

    Disruptor Wiper Pseudo-Ransomware Physical Destroyer Less Destructive More Destructive VPNFilter Mirai Reaper Olympic Destroyer Wannacry NotPetya Hermes Shamoon Flame Destover Stuxnet Industroyer Triton Propagation Mechanisms
  16. 16 CORIIN – Thomas Roccia – 2019 Business & Cybercrime

    We offer services to eliminate the sites and forums of your competitors using Our service is a quick solution to your problems with competitors and enemies. - Low prices (from $ 50) - 24-hour order taking - Hour monitoring of all attacked resources Attacked resources during the attack do not show signs of life, as is often the case - Day - from $ 50 - Week - from $ 300 - Month - from $ 1000
  17. 17 CORIIN – Thomas Roccia – 2019 Business & Cybercrime

    Source: https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by-bushido-botnet-.html • DDOS As A Service, Powered by Bushido Botnet • Authors claimed 500 Gbps of Power
  18. 18 CORIIN – Thomas Roccia – 2019 Motivation behind such

    attacks Financial Ideology Competition Hacktivism Terrorism Revenge Nation State Terrorists APT Script Kiddies Organized Crime Hacktivists Insider
  19. 19 CORIIN – Thomas Roccia – 2019 Ransomware for Destruction

    and Distraction • Taiwan Bank Hacked in 2017 • Cybercriminals attempted to wire US$60 million • Remote access via backdoor on endpoints • The backdoor contained a copy of the HERMES Ransomware in its resources. • The ransomware encrypted the files but no ransom note was printed
  20. 20 CORIIN – Thomas Roccia – 2019 Motivation behind such

    attacks • CyanWeb has been targeted in June 2018 • The company experienced a DDOS attack as a lure • In a same time and after gaining access, attackers delivered a malware wiper to destroy all the data.
  21. 21 CORIIN – Thomas Roccia – 2019 Motivation behind such

    attacks: SHAMOON SHAMOON v1 – 2012 SHAMOON v2 – 2016 SHAMOON v3 – 2018 • Shamoon authors have let political messages in each waves: • Shamoon v1: Burned American flag • Shamoon v2: Syrian refugee • Shamoon v3: Phrase from the Quran (Surah Masad, Ayat 1 [111:1]) “perish the hands of the Father of flame”
  22. 22 CORIIN – Thomas Roccia – 2019 What to do?

    Destructive Malware are an aggressive threat that need to be addressed seriously! Network and User Segregation Increase awareness of systems that can be utilized as a gateway to pivot (lateral movement) Patch Management by Prioritization Backup Incident Response Plan
  23. 23 CORIIN – Thomas Roccia – 2019 What to expect

    in the future? • Destructive malware will continue to evolve and be used as economical and political weapons against states and organizations. • Supply-chain attack as spreading technique will become more common. • DDOS botnet will become more powerful. • Targeted attack on critical assets will be more sophisticated.
  24. 24 CORIIN – Thomas Roccia – 2019 Take Away Destructive

    Malware are a serious threat that can take down a whole company or a country. Destructive Malware used several techniques. Some of them used propagation mechanisms. Motivation and actors are different.
  25. 25 CORIIN – Thomas Roccia – 2019 References https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

    https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of- attacks-on-industrial-systems/ https://blog.talosintelligence.com/2018/02/olympic-destroyer.html https://blog.talosintelligence.com/2018/05/VPNFilter.html https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle- east-europe/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe- infected-systems/ https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by-bushido-botnet-.html https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html Icon: https://www.flaticon.com
  26. 26 CORIIN – Thomas Roccia – 2019 Thank You Thomas

    ROCCIA Security Researcher, Advanced Threat Research @fr0gger_ https://securingtomorrow.mcafee.com/author/thomas-roccia/ Q/A
  27. 27 CORIIN – Thomas Roccia – 2019 McAfee, the McAfee

    logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC. 2