Stolen certificates in two waves of ransomware and wiper attacks

Introduction

On July 17, 2022, Albanian news outlets reported a massive cyberattack that affected Albanian government e-services. A few weeks later, it was revealed that the cyberattacks were part of a coordinated effort likely intended to cripple the country’s computer systems. On September 10, 2022, Albanian local news reported a second wave of cyberattacks targeting Albania’s TIMS, ADAM and MEMEX systems – the latter two systems critical for law enforcement – reportedly using the same attack type and by the same actors.

Around the same time, we identified ransomware and wiper malware samples resembling those used in the first wave, though with a few interesting modifications that likely allowed evasion of security controls and better attack speeds. Chief among those changes are the embedding of a raw disk driver, providing direct hard disk access inside the malware itself, modified metadata, and the use of Nvidia’s leaked code signing certificate to sign the malware.

So, what’s new in this blogpost?

• We compare the first and second waves of ransomware and wiper malware used to target Albanian entities and detail connections with previously known ROADSWEEP ransomware and ZEROCLEARE variants.
• The threat actors used certificates from Nvidia and Kuwait Telecommunications Company to sign their malware; the former was already leaked, but we’re not sure how they got their hands on the latter.
• We identified potential cooperation between different attack groups speaking different languages, and the possible use of AnyDesk as an initial entry point to start the ransomware/wiper infections.
• The changes implemented to automate and speed up wiping in the second wave of attacks are reminiscent of the notorious Shamoon wiper attacks in the Middle East.

Wiper and ransomware, comparing wave 1 and wave 2

Below, we compare and discuss the differences between the wave 1 and wave 2 ransomware and wiper malware.

Initial Infection – traces of cooperation between different attack groups and use of AnyDesk utility

Although we weren’t able to identify the initial entry point of the threat actor in the analyzed intrusion, a few days after the second wave wiping activities, we noticed underground chatter about someone having access to an AnyDesk account at another non-governmental but significant Albanian entity, and suggestions for Persian-speaking hackers to use it for deploying ransomware or wiper malware. This may increase the likelihood that the initial entry point for wave 2 is through legitimate remote access software such as AnyDesk, especially since we know that the wave 2 wiper modifications included automatic execution upon driver installation only – potential need for urgency due to the limited time/access window. The attackers and access provider seemed to belong to different attack groups and spoke different languages.

The ransomware – use of Kuwait Telecommunications Company signing certificate

This second wave sample has the same signing certificate parameters as the first wave sample, which is related to Kuwait Telecommunications Company. It’s unclear how the threat actor was able to sign its malware using Kuwait Telecommunications Company’s certificate, but we suspect it was stolen. As of the date of this publication, the certificate is no longer valid and has been revoked.

After the initial execution, the wave 2 ransomware checks for any six arguments (or more) supplied by the threat actor, as opposed to the wave 1 sample that checks for five arguments or more – a small modification that assists in defense evasion. Nevertheless, the intrusion analysis conducted on one of the affected machines indicates that in wave 2 the threat actor did not use a BAT file to invoke the ransomware while supplying seven digits similar to wave 1, but instead invoked the wave 2 ransomware immediately from the command line using six zeroes: “000000”. If ransomware execution fails because the correct arguments are not supplied, the wave 2 sample displays a different message from that of wave 1; the wave 2 message resembles an error message displayed by a PDF to DOC converter.

The wave 2 ransomware sample continues execution and checks for the mutex Screenlimitsdevices#77!;, a value that differs from the wave 1 sample’s mutex:
abcdefghijklmnoklmnopqrstuvwxyz01234567890abcdefghijklmnopqrstuvwxyz01234567890

Although we call this malware ransomware based on its behavior, the encrypted files are, in fact, unrecoverable. When comparing wave 2 ransomware samples to wave 1, we notice that both have the same , and both use CreateFile and WriteFile APIs to overwrite files. During the process of execution, wave 2 ransomware attempts to decrypt and execute embedded scripts, malware settings or API function names. The encryption algorithm used is RC4 in both wave 1 and wave 2. However, the RC4 key for decryption in wave 2 has been changed in another attempt to evade detection.

• Wave 1 RC4 key: 8C E4 B1 6B 22 B5 88 94 AA 86 C4 21 E8 75 9D F3
• Wave 2 RC4 key: F0 B4 ED D9 43 F5 C8 43 C9 D0 A2 4F 22 9B BC 3A

It’s worth noting that in both waves, the RC4 decryption method uses CryptoAPI (CryptDecrypt) instead of the usual substitution box method. The intrusion we analyzed in wave 2 indicates that the ransomware was probably deployed over the internal network, possibly from another compromised machine. This is reinforced by the fact that we didn’t see anything else dropped or executed before the ransomware execution, and the ransomware executable name was randomly generated, potentially by the tool the threat actor used to deploy it over the network (e.g., Mellona.exe).

Despite all the changes made in the wave 2 ransomware, the ransom notes remained the same and included political messaging that reflects the geopolitical tensions between Albania and Iran.

Ransom note in both wave 1 and wave 2 ransomware

The wiper – use of Nvidia signing certificate

Similar to the wave 2 ransomware sample, the threat actor made several modifications to the wave 2 wiper malware, probably to evade detection. The three main changes are:

• Modified malware signing
• Embedding of EldoS RawDisk driver inside the wiper malware
• Automatic wiping after driver installation command

Historically, in ZEROCLEARE and DUSTMAN incidents from 2019, the wiper malware and raw disk drivers were not signed and therefore could not directly access the raw disk for speedy data wiping. So, the wipers had to use a third-party loader such as TDL – a signed loader for unsigned drivers – to install the unsigned raw disk driver that allows the wiper malware to directly access the raw disk for wiping data using DeviceControl API methods. However, in the first attack wave targeting Albania, the threat actor signed the wave 1 wiper using the Kuwait Telecommunications Company certificate, thus removing the need for a third-party loader. The speed and automation improvements remind us of previous Shamoon operations in the Middle East.

Since the wave 1 wipers were exposed in July 2022, and likely to avoid static detections, the threat actor used Nvidia’s leaked signing certificate to sign the wave 2 wiper in September 2022, again eliminating the need for a third-party loader for the raw disk driver.

In wave 1, the wiper malware expected to find the raw disk driver in the execution directory or in the system directory. The driver wasn’t dropped by the wiper, and the threat actor likely dropped it using other means. Conversely, in wave 2 the threat actor embedded the signed raw disk driver in the wiper executable, dropped it and then installed it. In addition, the driver being used by the threat actor in wave 2 seems to copy metadata and a few functions from Microsoft’s diskdump.sys crash dump driver^[1] (version 10.0.19041.1682) as another means to avoid detections. The wiping activity starts automatically after the driver installation command; as opposed to the wave 1 wiper, where installation is one step and wiping execution is a second step.

Finally, for the most part, wave 1 and wave 2 wipers remained the same, including the reliance on the same authentication key to access the raw disk driver, and the use of the same DeviceControl API methods, but with one exception, as shown below. It’s worth noting that the method IOCTL_DISK_GET_LENGTH_INFO is exclusive to all Persian-speaking APT wipers.

• Wave 1 wiper DeviceControl API methods:
  • IOCTL_DISK_GET_DRIVE_GEOMETRY_EX
  • IOCTL_DISK_GET_DRIVE_GEOMETRY
  • IOCTL_DISK_GET_LENGTH_INFO
• Wave 2 wiper DeviceControl API methods:
  • IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS (new method in wave 2; used in multiple instances)
  • IOCTL_DISK_GET_DRIVE_GEOMETRY
  • IOCTL_DISK_GET_LENGTH_INFO

Based on our telemetry, we suspect the infections are associated with law enforcement institutions in Albania. This targeting is consistent with the previous wave of cyberattacks affecting the Albanian government during the July 2022 wave of cyberattacks.

Conclusions

In this publication, we discussed the changes made to the second wave of ransomware and wiper samples that targeted Albanian institutions to evade detection and inflict maximum damage.

Aside from the changes made to evade detection in wave 2, we suspect that the threat actors needed an automated and speedy wiper execution. In wave 2, the raw disk driver was embedded inside the malware and the wiping routine started immediately after driver installation, as opposed to the wave 1 procedure. This is reminiscent of Shamoon operations in the Middle East.

Finally, for defenders we can highlight two important elements from the intrusion and malware analysis presented here:

• Monitor for remote software activities such as AnyDesk for unauthorized use
• Always hunt and monitor for expired and/or leaked signing certificates as they can be used by threat actors to load and execute malware

Threat detection

The detection logic has been improved in all our solutions to ensure that our customers remain protected. We continue to investigate this threat using our Threat Intelligence and we will add additional detection logic once they are available.

Our products protect against this threat and detect it with the following names:

• HEUR:Trojan-Ransom.Win32.Agent.gen
• Trojan-Ransom.Win32.Gen.aghh
• Trojan-Ransom.Win64.Agent.dpf
• Trojan.Win32.Agentb.kzkj

Indicators of compromise

File hashes (malicious documents, Trojans, emails, decoys)

Ransomware

Wiper

Driver

Signing certificates serial numbers

^[1] Original, legitimate driver’s MD5 is 015caeec9148194054b5b1de64762a43