January 18, 2022

Ukraine Organizations Targeted with “Destructive” Malware

Industry: N/A | Level: Strategic | Source: Microsoft

Microsoft Threat Intelligence Center (MSTIC) has identified a “destructive” malware targeting organizations in Ukraine. The threat tracked as DEV-0586, utilizes malware designed to render affected systems inoperable, while ransom notes are provided, recovery mechanisms are withheld. The style of activity also doesn’t align with typical ransomware activity, as notes and payloads aren’t customized per victim.

The scope of impact, based on Microsoft’s visibility, is continuing to be measured as investigation details unfold, and at present, there are a dozen impacted systems (possibly more). Identified organizations impacted are industries in government, non-profit and information technology. Recognition of this activity came on January 13th, 2022 in which Microsoft observed intrusion activity with “Master Boot Records (MBR) Wiper activity”. The attack appears as a two-stage process with the first stage malware dropping as “stage1.exe” residing in directories C:\PerfLogs, C:\ProgramData, C:\, and C:\temp. The malware executes via Impacket overwriting the Master Boot Record (MBR). Lastly a stage 2 file corrupter malware “Stage2.exe” has been identified to be hosted on a Discord channel when executed corrupts files in certain directories targeting files with specific extensions as described by Microsoft “If a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension.”