Warning message... Link to action
Read our in-depth analysis of a new high-volume campaign that marked the resurgence of notorious malware-as-a-service Hawkeye Keylogger. Read the blog post
Aliases: No associated aliases
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender Antivirus for Windows 8.1 and Windows 10, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
Go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.
Get more help
If you’re using Windows XP, see our Windows XP end of support page.
The dropper contains the other components of the attacks encoded in its resources in fake bitmap images. The decryption keys and offsets are hard-coded in the sample.
When decoded, the files are:
- PKCS12 – Wiper component
- PKCS7 – Communication module
- X509 – 64bits variant of this dropper
We have observed that the dropper contains hard-coded credentials that is used to propagate in the local network.
It first tries to start the Remote Registry service of the PC it is trying to copy itself to, then uses RegConnectRegistryW to connect to it.
It then attempts to disable User Access Control remote restrictions by setting the LocalAccountTokenFilterPolicy registry key value to 1. After it is modified, it connects to the target system and drops itself in the following folders before either setting a remote service called “ntssv” or a scheduled task
- \system32\ntssrvr32.exe or
The dropper installs the wiper components contained in its resource section under “\system32\<random name>.exe”.
During our analysis, it used the name “event.exe”, but static analysis shows it can use several other names like:
The wiper component itself also contains encoded files in its resources as fake bitmap images. The first one is a driver that it saves under “\system32\drivers\drdisk.sys” and installs it by creating a service pointing to it using “sc create” and “sc start”. This driver is the exact same driver used in the 2012 attacks, namely the RawDisk driver from Eldos Corporation. It provides direct access to disks and partitions, allowing the wiper to write data even in protected locations like the MBR.
The other encoded resource is an image file, which is a famous picture referring to the Syrian refugee crisis. It appears that the wiper uses that picture to overwrite locations listed in:
Typical user folders like:
We have seen this threat use the following command to reboot the system so it becomes unusable state:
- shutdown -r -f -t 2
Analysis by Mathieu Letourneau
The following can indicate that you have this threat on your PC:
- The data in your PC is wiped out
- You cannot use your PC
- You see any of the following files in your \system32, system32\ntssrvr32.exe, or \system\ntssrvr64.exe folder: