@F rØgger_ Thomas Roccia Overview of HermeticWiper Initial entry point and deployment Exchange Server Compromised Tomcat Exploit PowerShell for post compromission Conhosts.exe (Wiper Loader) Name: Hermetica Digital Ltd :Status: Valid Issuer: DigiCert EV Code Signing CA (SHA2) Valid From: 12:00 AM 04/13/2021 Valid To: 11:59 PM 04/14/2022 Valid Usage: Code Signing Algorithm: sha256RSA Thumbprint: 1AE7556DFACD47D9EFBE79BE974661A5A6D6D923 Serial Number: 0C48732873AC8CCEBAF8F0E1E8329CEC Certificate MBR and Partition corruptions Bytes overwriting Anti-forensic Check OS Architecture and drop the resource accordingly RCDATA Resource MS compress: “empntdrv.sys“ • DRV_X64: Windows 7+ 6’ bits • DRV-X86: Windows 7+ 32 bits • DRV_XP_X64: Windows XP 64 bits • DRV_XP_X86: Windows XP 32 bits Disable VSS Service if enabled Webshell • Set Registry key SYSTEM\\CurrentControlSet\\Control\CrashControl\ CrashDumpEnabled = 0 to avoid that no file are written when the system terminates abnormally. • Delete the service registry key previously created to run the driver: SYSTEM\CurrentControlSet\\Services\ • Disables ShowCompColor and ShowInfoTip in all HKEY_USERS registry: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowCompColor = 0 ShowInfoTip = 0 Drop the driver into C:\Windows\system32\Drivers\dr.sys Load the driver using SeLoadDriverPrivilege Run the driver as a service using API OpenSCManagerW(), OpenServiceW(), CreateServiceW() and StartServiceW() • Creates named pipe \\\\.\\EPMNTDRV\\%u for driver com • Get handle from the function DeviceIoControl with IoControlCode 0x560000 (IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS) to get the device number. $LOGFILE log file containing all actions performed on the volume. $I30 Windows NTFS Index Attribute $ATTRIBUTE_LIST Lists the location of all attribute records that do not fit in the MFT record $EA Extended the attribute index $EA_INFORMATION Extended attribute information $SECURITY_DESCRIPTOR Security descriptor stores ACL and SIDs $DATA Contains the default file data $INDEX_ROOT Used to support folders and other indexes $INDEX_ALLOCATION The type name for a Directory Stream. A string for the attribute code for index allocation $BITMAP A bitmap index for a large directory. $REPARSE_POINT Used for volume mount points $LOGGED_UTILITY_STREAM Use by the encrypting file system IMPACT Enumerates Windows files, Event Logs and Windows Restaure Points • “My Documents”, “Desktop”, “AppData” • "\\\\?\\C:\\Windows\\System32\\winevt\\Logs") • "C:\System Volume Information" EaseUS driver Get privileges: • SeShutdownPrivilege • SeBackupPrivilege • SeLoadDriverPrivilege Get MFT and NTFS Attributes Sample Analyzed: SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da External Sources: https://gist.github.com/fr0gger/7882fde2b1b271f9e886a4a9b6fb6b7f Deployment via GPO Rev: Version 2