This Joint Indicator Bulletin (JIB)1 is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC)/United States Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to highlight known cyber threat indicators.
The US-CERT and the FBI are providing the following information with HIGH confidence: Destructive malware was used, and may currently be in use, by unknown computer network exploitation (CNE) actors. This malware has the capacity to overwrite a victim host’s master boot record (MBR) and all data files. Subsequent attempts to recover data using standard forensic methods will be difficult, costly, and potentially impossible.
In late November 2014, employees of a U.S. business experienced defacement on their computer desktops when employees logged in to their workstations. The defacement indicated that the malicious activity would continue and the U.S. business’ data would be released publicly. Later that day, the malware propagated through the company’s global network, and the network was ultimately taken offline.
US-CERT and the FBI are providing the following information with HIGH confidence:
This group uses some custom tools that should be flagged immediately upon detection, reported to the FBI, and given highest mitigation priority. The aforementioned actors have used identified domain names and IP addresses as source and/or destination IP addresses. The FBI is distributing the indicators associated with a successful attack to enable network defense activities and reduce the risk of similar attacks in the future. The FBI has high confidence that these indicators are being used by CNE actors for further network exploitation. The FBI recommends that your organization help victims identify and remove the malicious code. Below are descriptions of malware and associated signatures:
The malware was designed to propagate throughout the network via Windows file shares which are often enabled by default, if not enabled, the malware has the ability to turn on remote sharing of the windows system directory and begin wiping process. After each successful deployment of the wiper to a remote file-system, the malware reports its status back to several command and control (C2) IP addresses. The wiper component contained three different methods for erasing files on the remote host’s physical drive accessed via a device driver, local wiping of files by searching for files on disk, and remote wiping of files via the network share. The two dropped files which did not contain wipers or configuration files may have been used for testing of the implant.
