Kaspersky researchers have discovered a data wiper, dubbed as CryWiper, that was employed in destructive attacks against the Russian government entities.
Researchers, after the analysis found the malware masquerades as a ransomware and extorts money from the victim for decrypting data, does not actually encrypt but purposefully destroys data in the affected system The analysis of the Trojan’s program code showed that this was not a developer’s mistake but his original intention.
The analyzed CryWiper sample is a Windows 64-bit executable that was written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. This development process for C/C++ malware developers for Windows is unusual.
Once executed, CryWiper uses the Task Scheduler and the schtasks create command to create a task to run its file every 5 minutes.
The wiper contacts the C&C server using an HTTP GET request and passes the name of the infected system as a parameter. The C2, in turn, responds with either a “run” or “do not run” command in order to determine if the malware has to start.
Once receiving a run response, CryWiper stops processes related to MySQL and MS SQL database servers, MS Exchange mail server, and MS Active Directory web services using the taskkill command. This action unlocks files used by the above legitimate applications before encrypting them.
The wiper also deletes shadow copies on the compromised machine to prevent victims from restoring the wiped files. The wiper generates a sequence of data using the pseudo-random number generator Mersenne Vortex overwrite the original file content.
It appends the .CRY extension to the files it has corrupted and drops ransom notes demandimg for 0.5 Bitcoin for the decrypted.
Indicators of Compromise