ESET themed wiper Targets Israel

Introduction

It all started with an ESET statement on their official account on "X", wherein they mentioned that their partner company in Israel has gone under a targeted malicious email campaign that they managed to block within 10 minutes.

This attack caught the eye of many researchers and was documented by Costin Raiu, Jiří Vinopa as well as many other researchers.

The attack chain starts with an ESET themed email with an attached archive containing benign DLLs as well as an ESET themed "Setup.exe"

Loading stages

Setup.exe -Initial dropper analysis

The malicious "Setup.exe" serves as an initial dropper that utilizes the standard PEB walking technique to retrieve the base addresses of key modules at runtime. This method is combined with a custom implementation of "GetProcAddressByName". This function takes the base address of a given module and the name of the target export, searching the exports table until a match is found.

The dropper relies heavily on encrypted strings, which are primarily function names. These will be decrypted and passed to "GetProcAddressByName" to retrieve the corresponding address.

The strings are base64 decoded then XOR decrypted using the key "Saturday, October 07, 2023, 6:29:00 AM".

The dropper will start by getting the current module path name and checking if it's running under the expected path "Public/Users". It does this to confirm whether or not the malware was copied to the target directory it should run from and check whether the configuration file was pulled from the C2 server.

If the malware doesn't find the string "/Users/Public" in the path it knows it needs to relocate itself to the new path and contact the C2 server to get the config file.

The domain www.oref.org.il belongs to Israel's National Emergency Portal, which is designed to respond only to Israeli IP addresses through geo-blocking. The malware checks the returned status code to determine if it is operating from an Israeli IP address; specifically, it looks for a status code of 403. This mechanism allows it to restrict infections exclusively to Israeli IP addresses, which should receive a response.

Interestingly enough the malware was configured to use the JSON output that will be served when you navigate the server to this path "/alerts/RemainderConfig_eng.json" and extract the first 7 chars to use as an XOR decryption key for the next stages.

After successfully downloading the configuration, the malware will rename itself to "SecurityHealthSystray.exe" and will copy itself to the path "Users/Public" relaunching itself with administrative privileges.

The first 7 chars "[{"cat" from the downloaded JSON are used as an XOR key to decrypt the subsequent stages.

Wiper analysis

The wiper which is dropped and executed by the initial dropper "Setup.exe",has the sole purpose of destroying the files of the machine it runs on. It uses the same obfuscation techniques described above to deobfuscate encrypted strings as well as resolve imports at run-time.

Before wiping, the wiper enumerates the system for the available drives using GetLogicalDrives. It then starts at the root directory of each drive and recursively traverses the file system to compile a list of directories for later wiping.

The wiper avoids touching system directories and the payload directory. This is to ensure the system's functionality remains intact during the wiping process while keeping the payload files safe.

When compiling the list of directories to delete, the wiper uses GetSystemInfo to determine the number of logical processors on the system. This information helps establish the thread count for the wiping process, ensuring optimal speed based on the available system resources.

Each thread is assigned a number of directories to wipe based on the total number of directories and the thread count. This approach balances the workload and ensures optimal and fair wiping speed for all threads.

The wiping loop is then set up to initiate the wiping for each of the threads tasked for wiping.

At the beginning of the wiping thread function the name of the target file is checked for the strings "desktop.ini" and "conf.conf". If the file name contains either of these strings, it will be skipped during the wiping process. This is done to protect the configuration file and the other specified file.

The wiper uses a file-size strategy for the wiping process. For files that are "1111" bytes or smaller, the file is completely wiped by writing pseudo-random bytes to it. Files that are larger than "1111" are wiped over three iterations for each an new array of "1111" pesudo-random bytes is written to.

Infector analysis

The infector is the final payload in the execution chain. It starts by checking if "Microsoft outlook" exists on the infected machine by trying to open the following registry key "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\OUTLOOK.EXE, and if does exist then it proceeds with downloading the archive containing the lure ESET "Setup.exe" from the following URL "https://share-center.com/files/Attachment.zip" to the "Users/Public" and uses the downloaded archive as an attachment for outlook email infection.

The downloaded attachment is used in the InfectOutlook function, which begins by adding the email that will be used to spread the infection then obtaining the address list within the infected organization's environment, and then adding each address to a unique hash set to avoid duplicates.

Having compiled the list of emails to send the malicious attachment to, it proceeds with sending the emails to each of the targets with the following email subject "The Files You Requested" and the following body text "Please find attached the files you requested.\n\nRegards,"

Finally, it verifies the presence of an "Active Directory" forest to attempt spreading through it as well.