The Anatomy of Wiper Malware, Part 3: Input/Output Controls | CrowdStrike

MITRE Techniques

• [T1082] System Information Discovery – DriveSlayer uses IOCTL_DISK_GET_DRIVE_GEOMETRY_EX and IOCTL_DISK_GET_DRIVE_GEOMETRY_EX to obtain information about partitions and geometry of a drive, helping locate MFTs/MBRs for wiping. – “DriveSlayer is using the IOCTL_DISK_GET_DRIVE_LAYOUT_EX and IOCTL_DISK_GET_DRIVE_GEOMETRY_EX IOCTLs to obtain information about the partitions and geometry of a drive. This helps the wiper to determine the location of the MFTs and MBRs in order for them to be scheduled for wiping.”
• [T1083] File and Directory Discovery – Wipers determine existing files by parsing the MFT rather than walking directories. – “Wipers like DriveSlayer will attempt to determine existing files by parsing the MFT rather than walking the directories and files recursively.”
• [T1485] Data Destruction – Overwriting disk sectors and boot/MBR destruction – “Destroying All Disk Contents” and “IOCTL_DISK_DELETE_DRIVE_LAYOUT that removes the boot signature from the master boot record, so that the disk will be formatted from sector zero to the end of the disk.”
• [T1485] Data Destruction – Volume lock/unmount to hinder recovery – “FSCTL_LOCK_VOLUME and FSCTL_DISMOUNT_VOLUME IO control codes … for locking and dismounting the volume.”
• [T1485] Data Destruction – Overwriting and fragmentation of data – “Overwriting occupied clusters with randomly generated data” and “DriveSlayer will use this bitmap to overwrite occupied clusters with randomly generated data.”
• [T1485] Data Destruction – Data fragmentation and file relocation – “FSCTL_GET_RETRIEVAL_POINTERS” and “FSCTL_MOVE_FILE” used to fragment and relocate data on disk.
• [T1083] File and Directory Discovery (supporting detail) – File iteration and NTFS file record data used to queue files for wiping – “The wiper continues by relocating virtual clusters using the FSCTL_MOVE_FILE IOCTL” and “Gathers file record information via FSCTL_GET_NTFS_FILE_RECORD.”