Windows 10: Windows 10: protection against recent Depriz malware attacks

  1. Brink's Avatar
    Posts : 33,158
    64-bit Windows 10 Pro build 18262
       10 Dec 2016 #1

    Windows 10: protection against recent Depriz malware attacks

    A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams are working on protection, detection, and response to these threats.

    Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

    Although the extent of damage caused by this latest attack by TERBIUM is still unknown, Windows 10 customers are protected. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat; Windows Defender customers are protected through multiple signature-based detections; and Windows Defender Advanced Threat Protection (ATP) customers are provided extensive visibility and detection capabilities across the attack kill chain, enabling security operation teams to respond quickly. Microsoft’s analysis has shown that the components and techniques used by TERBIUM in this campaign trigger multiple detections and threat intelligence alerts in Windows Defender Advanced Threat Protection.

    Attack composition

    Microsoft Threat Intelligence has observed that the malware used by TERBIUM, dubbed “Depriz” by Microsoft, reuses several components and techniques seen in the 2012 attacks, and has been highly customized for each targeted organization.

    We do not see any indicators that a zero-day exploit is being used by TERBIUM.

    Step 1: Writing to disk

    The initial infection vector TERBIUM uses is unknown. As credentials have been hard-coded in the malware TERBIUM uses, it is suspected that TERBIUM has harvested credentials or infiltrated the target organization previously. Once TERBIUM has a foothold in the organization, its infection chain starts by writing an executable file to disk that contains all the components required to carry out the data-wiping operation. These components are encoded in the executables resources as fake bitmap images.

    Click image for larger version. 

Name:	shamoon-depriz-implants.png 
Views:	68 
Size:	277.5 KB 
ID:	113079

    Figure 1. The components of the Trojan are fake bitmap images

    We decoded the components as the following files:

    • PKCS12 – a destructive disk wiper component
    • PKCS7 – a communication module
    • X509 – 64-bit variant of the Trojan/implant

    Step 2: Propagation and persistence through the target network

    We have seen TERBIUM use hardcoded credentials embedded in the malware to propagate within a local network. The availability of these credentials to the activity group suggests that the attacks are highly targeted at specific enterprises.

    The propagation and persistence is carried out as follows:

    1. First, it tries to start the RemoteRegistry service on the computer it is trying to copy itself to, then uses RegConnectRegistryW to connect to it.
    2. Next, it attempts to disable UAC remote restrictions by setting the LocalAccountTokenFilterPolicy registry key value to “1”.
    3. Once this is done, it connects to the target computer and copies itself as %System%\ntssrvr32.exe or %System%\ntssrvr64.exe before setting either a remote service called “ntssv” or a scheduled task.

    Step 3: Wiping the machine

    Next, the Trojan installs the wiper component. Note: TERBIUM establishes a foothold throughout the organization and does not proceed with the destructive wiping operation until a specific date/time: November 17, 2016 at 8:45 p.m.

    The wiper component is installed as %System%\<random name>.exe. During our testing, it used the name “routeman.exe”, but static analysis shows it can use several other names that attempt to imitate file names of legitimate system tools.

    The wiper component also contains encoded files in its resources as fake bitmap images.

    The first encoded resource is a legitimate driver called RawDisk from the Eldos Corporation that allows a user mode component raw disk access. The driver is saved as %System%\drivers\drdisk.sys and installed by creating a service pointing to it using “sc create” and “sc start”. This behavior can be observed in the process tree available in the Windows Defender ATP portal. The below alert represents an example of the generic detections in Windows Defender ATP:

    Click image for larger version. 

Name:	Shamoon2-1024x312.png 
Views:	4 
Size:	178.6 KB 
ID:	113082

    Figure 2.
    Windows Defender ATP alert: Depriz starting ephemeral service to load RawDisk driver “drdisk”

    Click image for larger version. 

Name:	Shamoon3-1024x558.png 
Views:	5 
Size:	237.3 KB 
ID:	113080

    Figure 3. Windows Defender ATP event tree: Depriz Trojan dropping the wiper component (named “routeman” in this instance), which in turn drops the RawDisk driver “drdisk”

    There are two interesting things worth noting about RawDisk:

    • It requires a valid license key from Eldos Corporation to run. However, the license key included in Depriz is the same as the one used in the 2012 attacks – and this license key was only valid for a short period in 2012. TERBIUM works around this by changing the system time on targeted computers to a valid period in 2012.
    • It is the same as the driver used in the 2012 attacks.

    Click image for larger version. 

Name:	Shamoon4-1024x239.png 
Views:	5 
Size:	127.9 KB 
ID:	113081

    Figure 4. Depriz license key (the same as the one used in 2012 attacks) and its limited validity period

    The wiper component uses an image file to overwrite files in locations listed in the following:

    • Master Boot Records (MBR)
    • HKLM\System\CurrentControlSet\Control\SystemBootDevice
    • HKLM\System\CurrentControlSet\Control\FirmwareBootDevice
    • C:\Windows\System32\Drivers
    • C:\Windows\System32\Config\systemprofile
    • Typical user folders like “Desktop”, “Downloads”, “Documents”, “Pictures”, “Videos” and “Music

    Microsoft is also aware of a second threat that uses a distinct wiping component. We detect this as Trojan:Win32/Cadlotcorg.A!dha in Defender and generic detections with Defender ATP. Microsoft is continuing to monitor for additional information on this threat.

    Step 4: Rendering the machine unusable

    Finally, the following command is used to reboot the system into the intended unusable state:

    shutdown -r -f -t 2

    When the computer attempts to restart after shutting down, it is unable to find the operating system because the MBR was overwritten in step 3. The machine will no longer boot properly.

    Mitigation: Multiple layers of protection from Microsoft

    Windows 10 protects, detects and responds to this threat. Windows 10 has built-in proactive security components, such as Device Guard, that mitigate this threat by restricting execution to trusted applications and kernel drivers.

    In addition, Windows Defender detects and remediates all components on endpoints as Trojan:Win32/Depriz.A!dha, Trojan:Win32/Depriz.B!dha, Trojan:Win32/Depriz.C!dha, and Trojan:Win32/Depriz.D!dha.

    Windows Defender Advanced Threat Protection (ATP), our post-breach security service, provides an additional layer of security to enterprise users. With threat intelligence indicators, generic detections, and machine learning models, Windows Defender ATP (trial link) provides extensive visibility and detection capabilities across the attack kill chain of threats like TERBIUM.

    Appendix – Indicators of compromise

    We discovered the following SHA1s in relation to TERBIUM:

    SHA1 hashes for malicious files

    • 5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6
    • e7c7f41babdb279c099526ece03ede9076edca4e
    • a2669df6f7615d317f610f731b6a2129fbed4203
    • 425f02028dcc4e89a07d2892fef9346dac6c140a
    • ad6744c7ea5fee854261efa403ca06b68761e290

    SHA1 hashes for legitimate RawDisk drivers

    • 1292c7dd60214d96a71e7705e519006b9de7968f
    • ce549714a11bd43b52be709581c6e144957136ec

    Signature names for malicious files

    Mathieu Letourneau
    Windows Defender Advanced Threat Protection Threat Intelligence Team

    Source: Windows 10: protection, detection, and response against recent Depriz malware attacks Microsoft Malware Protection Center
      My ComputersSystem Spec

  2. Pendaws's Avatar
    Posts : 310
    Windows 10 Pro 64bit 1803 (17134.137)
       12 Dec 2016 #1

    Thanks for the heads up :)
      My ComputerSystem Spec


Related Threads
Read more: Data Protection or Virus Protection? | AV-TEST And people are still concerned about Windows privacy, while installing 3rd party AVs like their life depends on it. :zip:
Multi-Vector DDoS Attacks Are Becoming the Norm 47% of all multi-vector DDoS attacks were launched in Q4 '15 72430 Read more:
it saids is ethernet unidentified network? no internet access sharing option is off. i try restarting the pc:( it use to work fine until the update bridging network cable
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:07.
Find Us