This fourth post in a four-part series examines the rarely used “helper” techniques wipers employ to augment data destruction, such as manipulating VSS, filling disk space, and altering boot configurations. It covers methods like shadow-copy deletion, space-filling writes, boot configuration changes, AD interaction, scripts, and reboot/shutdown tactics, with examples from multiple families like Meteor, DriveSlayer, Apostle, and Petya.
#Meteor #DriveSlayer #Apostle #Petya
#Meteor #DriveSlayer #Apostle #Petya
Keypoints
- Focuses on rarely used helper techniques that support or extend wiper activity beyond basic file deletion.
- Shadow copies are targeted to hinder recovery, notably via wmic.exe shadowcopy delete and vssadmin.exe delete shadows.
- Some wipers disable or bypass VSS services rather than deleting snapshots, such as DriveSlayer’s approach to disable the VSS service.
- IsaacWiper adds data by filling unallocated space with random data to reduce recoverability.
- Meteor wiper alters boot configuration to render systems unbootable using bcdedit and related commands.
- Active Directory interactions include domain checks and, in some cases, unjoining from domains to maintain persistence or avoid DC-specific behavior.
- Scripts (batch files) enable wipers to leverage OS functionality for rapid, broad deletions, exemplified by Apostle and Olympic wipers.
MITRE Techniques
- [T1490] Inhibit System Recovery – Shadow copies are deleted to hinder recovery; “During ransomware attacks, many ransomware families will attempt to delete the shadow copies of the Windows OS.”
- [T1485] Data Destruction – Filling disk space with random data to reduce recoverability; “The IsaacWiper wiper creates a thread that tries to fill the unallocated space of the disk with random data…”
- [T1542.003] Boot or Logon Autostart: Boot Configuration Data – Modifying boot configuration to render OS unbootable; “Meteor wiper … makes the operating system unbootable by changing the boot configuration of the infected machine. This can be done by either corrupting the system’s boot.ini file, or by using a series of bcdedit commands.”
- [T1082] System Information Discovery – Detecting domain status to avoid DCs and tailor behavior; “CaddyWiper uses the DsRoleGetPrimaryDomainInformation API to determine if the victim machine is not a primary domain controller.”
- [T1082] System Information Discovery – Unjoining from domain to avoid domain controller constraints; “NetUnjoinDomain” (or wmic command) used to unjoin domain/workgroup.
- [T1059.003] Windows Command Shell – Script-based wiping using batch files (Apostle, Olympic); “Apostle is dropping and executing the following script:”
- [T1106] Native API – Reboot/Shutdown via native calls (e.g., NtRaiseHardError) to force OS reboot; “The Petya wiper variant implements a different approach, calling NtRaiseHardError instead of ExitWindowsEx.”
- [T1112] Modify Registry – Registry keys altered to disable crash dumps or wipe registry data; “DriveSlayer changes registry key value to 0x0 via RegOpenKey and RegSetValue”
- [T1562.001] Impair Defenses – Disabling VSS service to hinder data recovery; “driveSlayer … disable the VSS service”
- [T1485] Data Destruction – Wipers may transition between ransomware and wiper paradigms or create variants; “Some malware authors decide to use the same source code to transition their malware from ransomware to wiper or vice versa.”
Indicators of Compromise
- [File Hashes] SHA-256 hashes associated with various wiper families (examples): Apostle – 6fb07a9855edc862e59145aed973de9d459a6f45f17a8e779b95d4c55502dcce, 19dbed996b1a814658bef433bad62b03e5c59c2bf2351b793d1a5d4a5216d27e
- [File Hashes] CaddyWiper – a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
- [File Hashes] Destover – e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a
- [File Hashes] DoubleZero – 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe, 30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a
- [File Hashes] DriveSlayer – 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da, 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591, a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec
- [File Hashes] Dustman – f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7
- [File Hashes] IsaacWiper – 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033, 7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0
- [File Hashes] IsraBye – 5a209e40e0659b40d3d20899c00757fa33dc00ddcac38a3c8df004ab9051de0d
- [File Hashes] KillDisk – 8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5, 1a09b182c63207aa6988b064ec0ee811c173724c33cf6dfe36437427a5c23446
- [File Hashes] Meteor and Comet/Stardust – 2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b, d71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e, 6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4, 9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473
- [File Hashes] Ordinypt – 085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09
- [File Hashes] Petya – 0f732bc1ed57a052fecd19ad98428eb8cc42e6a53af86d465b004994342a2366, fd67136d8138fb71c8e9677f75e8b02f6734d72f66b065fc609ae2b3180a1cbf, 4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c
- [File Hashes] Shamoon – e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a, c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a, 7dad0b3b3b7dd72490d3f56f0a0b1403844bb05ce2499ef98a28684fbccc07b4, 8e9681d9dbfb4c564c44e3315c8efb7f7d6919aa28fcf967750a03875e216c79, f9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72
- [File Hashes] SQLShred/Agrius – 18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f, e37bfad12d44a247ac99fdf30f5ac40a0448a097e36f3dbba532688b5678ad13
- [File Hashes] StoneDrill – 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260, 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83, bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc
- [File Hashes] Tokyo Olympic wiper – fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97, c58940e47f74769b425de431fd74357c8de0cf9f979d82d37cdcf42fcaaeac32
- [File Hashes] WhisperGate – a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92, 44ffe353e01d6b894dc7ebe686791aa87fc9c7fd88535acc274f61c2cf74f5b8, dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
- [File Hashes] ZeroCleare – becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86
Read more: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-4/