Part 2 of the wiper series explains how threat actors exploit legitimate third-party kernel drivers to bypass detection and perform disk wiping in kernel space, focusing on ElRawDisk and EPMNTDRV. It also covers how these drivers are loaded (via Service Control Manager) and used to wipe disks, with CrowdStrike Falcon providing visibility and monitoring insights.
#ElRawDisk #Shamoon #ZeroCleare #DriveSlayer #Dustman #Eldos #EaseUs #TDL #CrowdStrike #Falcon
#ElRawDisk #Shamoon #ZeroCleare #DriveSlayer #Dustman #Eldos #EaseUs #TDL #CrowdStrike #Falcon
Keypoints
- Threat actors move wiper operations into kernel space to overcome user-mode limitations and detection.
- Many wipers rely on third-party kernel drivers, notably ElRawDisk by Eldos, to proxy actions from user mode into kernel mode.
- Wipers such as Destover, DriveSlayer, Shamoon, Dustman, and ZeroCleare use ElRawDisk, with DriveSlayer relying on a driver by EaseUs (EPMNTDRV).
- ElRawDisk operates as a proxy driver; after loading, the wiper authenticates via a key appended to the device name and then uses CreateFile to interact with the driver.
- Shamoon, Dustman, and ZeroCleare exploit various IOCTLs and DeviceIoControl calls (e.g., FSCTL_GET_RETRIEVAL_POINTERS, IOCTL_DISK_GET_PARTITION_INFO_EX) to locate and erase disk sectors.
- DriveSlayer demonstrates how legitimate drivers are loaded and controlled via Windows SCM and dispatch routines to enable disk operations.
- CrowdStrike Falcon is highlighted as offering continuous monitoring and visibility to detect these kernel-based wiping activities.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution – Threat actors use legitimate third-party drivers (ElRawDisk, EPMNTDRV) to proxy disk operations from user mode into kernel space. Quote: “…threat actors may attempt to write their own kernel drivers, but this approach is difficult for a number of reasons.” and “Legitimate drivers are also seen as ‘clean’ by security vendors and it would not be blocked when they are installed.”
- [T1543] Windows Service – Drivers are installed on infected machines via Service Control Manager APIs or sc.exe, enabling persistence and kernel access. Quote: “Usually this is achieved by dropping the driver to disk and loading it via the Service Control Manager APIs, or the sc.exe tool.”
- [T1485] Data Destruction – Wipers overwrite disk sectors and attempt to destroy data, including entire disks and partitions. Quote: “Shamoon attempts to wipe the entire disk” and “overwrites the sectors using WriteFile and SetFilePointer APIs.”
- [T1036] Masquerading – Legitimate drivers are seen as “clean” by security vendors and may not be blocked, enabling attackers to masquerade as legitimate tools. Quote: “Legitimate drivers are also seen as ‘clean’ by security vendors and it would not be blocked when they are installed.”
Indicators of Compromise
- [Hash] SHA256 hashes associated with wiper families (Shamoon, ZeroCleare, etc.) – e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a, becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86 and 2 more hashes
- [File] Driver names implicated in the attacks – ElRawDisk, EPMNTDRV
- [IOCTL/Device] IOCTL codes and device control patterns used to wipe disks – IOCTL_DISK_GET_PARTITION_INFO_EX, FSCTL_GET_RETRIEVAL_POINTERS
Read more: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-2/