Two waves of ransomware and wiper attacks targeted Albanian government and law-enforcement systems, with later samples signed using stolen digital certificates from Nvidia and Kuwait Telecommunications Company. The campaigns show cross-language cooperation, possible entry via AnyDesk, and Shamoon-like automation in the second wave.
Hashtags: #ROADSWEEP #ZEROCLEARE #Shamoon #AnyDesk #NVIDIA #KuwaitTelecommunicationsCompany #TIMS #ADAM #MEMEX #Albania
Keypoints
- The first and second waves targeted Albanian entities, including TIMS, ADAM, and MEMEX systems used by government and law enforcement.
- Malware was signed with stolen certificates from Nvidia (leaked) and Kuwait Telecommunications Company (revoked), enabling trusted execution.
- Wave 2 embeds a raw disk driver and automates wiping right after driver installation, increasing speed and evasion, with Shamoon-like characteristics.
- There are traces of cooperation across language groups and potential use of AnyDesk as an initial access point.
- Wave 2 introduces changes such as six-argument invocation, a different mutex, and RC4 key changes to hinder detection.
- Ransomware notes retain political messaging linking Albania and Iran, underscoring geopolitical dimensions of the attacks.
- Defensive guidance emphasises monitoring AnyDesk usage and watching for expired or leaked signing certificates.
MITRE Techniques
- [T1133] External Remote Services β Use of AnyDesk as an entry point to deploy ransomware or wiper malware. Quote: ββ¦Suggestions for Persian-speaking hackers to use it for deploying ransomware or wiper malware.β
- [T1553.001] Code Signing β Signing malware with stolen certificates from Nvidia and Kuwait Telecom to bypass trust. Quote: βThe threat actors used certificates from Nvidia and Kuwait Telecommunications Company to sign their malware; the former was already leaked.β
- [T1021] Lateral Movement β Ransomware likely deployed over the internal network from another compromised machine. Quote: βthe ransomware was probably deployed over the internal network, possibly from another compromised machine.β
- [T1059.003] Command-Line β Wave 2 ransomware invoked directly from the command line using six zeros (β000000β). Quote: βinvoked the wave 2 ransomware immediately from the command line using six zeroes: β000000β.β
- [T1486] Data Encrypted for Impact β The encryption used is RC4 in both waves. Quote: βThe encryption algorithm used is RC4 in both wave 1 and wave 2.β
- [T1485] Data Destruction β Wiping activity starts automatically after driver installation in wave 2. Quote: βThe wiping activity starts automatically after the driver installation command.β
Indicators of Compromise
- [File hashes] Ransomware and wiper samples β 96eabcc77a6734ea8587599685fbf1b4, 64cb923be15ae255b82e7ebcf24ccfc5
- [File names] PdftoDoc.exe, DiskSnapshot.exe
- [Mutexes] Wave 2: Screenlimitsdevices#77!; Wave 1: abcdefghijklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890
- [Imphash] wave1: 653ee44c85bc91d12ec33dfed8056c27; wave2: 81CA8B811412284938148FC4F2A76C09
- [Signing certificates] Nvidia certificate: 14 78 1B C8 62 E8 DC 50 3A 55 93 46 F5 DC C5 18; Kuwait Telecommunications company certificate: 01 FD D0 93 F6 50 87 F4 E9 AE 11 ED 65 0D 83 E8
- [Link times] Wed Jul 06 21:30:41 2016; Thu Sep 08 03:43:36 2022
Read more: https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates/108350/