Cortex XDR Protections Against Malware Associated with Ukraine and Russia Cyber Activity

This post is also available in: 日本語 (Japanese)

In the wake of Ukraine-Russia related cyber activities, our customers are asking us about Cortex XDR protection and detection mechanisms in place. As of March 8, Cortex XDR blocks all publicly known attacks associated with Ukraine and Russia cyber activity. This blog post describes what has been seen to date and the Cortex XDR security measures that safeguard customers. We will continue to update this post with new information as the situation unfolds.

Cortex XDR protects customers from the following attacks and malware families linked to the Ukraine and Russia cyber activity:

  • HermeticWiper (also known as Foxblade)
  • HermeticWizard
  • HermeticRansom (also known as SonicVote)
  • IsaacWiper
  • WhisperGate - Both variants
  • Gamaredon
  • Outsteel
  • SaintBot
  • CaddyWiper
  • Putin ransomware
  • Cyclops Blink

HermeticWiper, HermeticWizard and HermeticRansom

On Feb. 23, malware referred to as HermeticWiper was uploaded to a public malware repository from an organization in Kyiv, Ukraine. This executable is a signed file with a valid signature from an organization named Hermetica Digital Ltd. When executed, this malware enumerates all files on a hard drive, destroys the master boot record and forces a system reboot.

HermeticWizard is a worm first observed on Feb. 23 that spreads HermeticWiper across hosts in a local network using Windows Management Instrumentation (WMI) and Server Message Block (SMB) services.

HermeticRansom is ransomware that encrypts files based on file extension. Attackers may have used it as a diversionary tactic to carry out HermeticWiper attacks.

Cortex XDR blocks HermeticWiper, HermeticWizard, and HermeticRansom with Behavioral Threat Protection, Local Analysis, and Yara rules. More specifically, Behavioral Threat Protection blocks HermeticWiper by detecting dropper activity, blocking the revoker Hermetica Digital certificate and blocking malicious attempts to overwrite a host’s drive partition.

IsaacWiper

Another wiper, referred to as IsaacWiper, was discovered in a Ukrainian government organization on Feb. 24, 2022. Designed for Windows endpoints, it is simpler than HermeticWiper and it does not include an Authenticode signature or use benign drivers for partition corruption.

Cortex XDR prevents IsaacWiper attacks with endpoint protection rules designed explicitly to stop IsaacWiper. Cortex XDR also blocks RemCom, a remote access tool sometimes deployed along with IsaacWiper, with a greyware verdict through its native integration with WildFire cloud-based malware prevention service.

WhisperGate

The Ukrainian government and other Ukrainian organizations were targeted with destructive malware, called WhisperGate, in January. WhisperGate is computer network attack (CNA) malware that attempts to delete Microsoft Windows Defender and corrupt files on the target. It consists of two samples: One appears as ransomware while the other is a beaconing implant used to deliver an in-memory Microsoft Intermediate Language (MSIL) payload. The in-memory code uses legitimate applications and utilities already installed on endpoints to evade detection and it will not detonate when it detects certain monitoring and security tools.

Cortex XDR prevents this malware family from executing using AI-based local analysis, Behavioral Threat Protection, master boot record protection module, and the ransomware protection module.

Gamaredon Attack Samples

Gamaredon (aka Primitive Bear), is one of the most active advanced persistent threats targeting Ukraine. For nearly a decade, the Gamaredon group has launched attack campaigns against Ukrainian government officials and organizations. On Nov. 4, 2021, the Security Service of Ukraine (SSU) publicly attributed the leadership of the group to five Russian Federal Security Service (FSB) officers assigned to posts in Crimea and released an updated technical report documenting the tools and tradecraft of this group.

Cortex XDR protects against the various malware used by Gamaredon through Behavioral Threat Protection and local analysis. In addition, Cortex XDR detects adversary tactics and techniques associated with Gamaredon.

Outsteel

Unit 42 observed an attack targeting an energy organization in Ukraine using the OutSteel tool on Feb. 1, 2022. CERT-UA publicly attributed the attack to a UAC-0056 threat group.

The OutSteel tool is a simple document stealer. It searches for potentially sensitive documents based on their file type and exfiltrates files to a remote server. Analysis by Unit 42 suggests that the threat group may be collecting data on Ukraine government organizations and companies involved with critical infrastructure.

Cortex XDR blocks OutSteel malware through its seamless integration with WildFire and with Behavioral Threat Protection.

SaintBot

The threat group behind OutSteel delivered it along with SaintBot, a malicious downloader, in a phishing email sent to an employee at an energy organization. SaintBot allows threat actors to download and run additional tools on the infected system. SaintBot provides persistent access to a targeted system while granting the ability to further their attack.

Cortex XDR Blocks SaintBot with Behavioral Threat Protection. In addition, it can detect unusual activities such as process queue APC (Asynchronous Procedure Call) injection and uncommon local scheduled task creation with Analytics BIOC alerts.

CaddyWiper

CaddyWiper, discovered on March 14, destroys user data and partition information from attached drives, including network mapped drives. The CaddyWiper software first checks to see if the system is a domain controller before wiping files. If the system is not a domain controller, then CaddyWiper will overwrite files and then destroy the partition tables.

Cortex XDR blocks CaddyWiper with WildFire, Yara rules, and anti-ransomware module, a security engine that detects and stops unauthorized changes—in this case file overwrites—to legitimate files.

Putin Ransomware

First observed in Poland by MalwareHunterTeam, this ransomware encrypts files and appends the file extension “.putinwillburninhell” and then attempts to encrypt files The ransomware also creates a ransom note that displays a message about the current crisis in Ukraine, but the ransom note does not attempt to collect payments.

Cortex XDR blocks the ransomware with WildFire, Behavioral Threat Protection, and Yara rules.

Cyclops Blink

Cybersecurity agencies in the U.S. and U.K. published a security advisory about new malware, called Cyclops Blink, associated with the Sandworm threat actor group. The malware targets Linux-based network devices, and appears to be a replacement for the VPNFilter malware discovered in 2018.

Multiple agencies including the National Security Agency have attributed Sandworm to Russian GRU military intelligence service and linked it to the BlackEnergy and NotPetya attacks, which also targeted Ukrainian organizations.

Cortex XDR detects Cyclops Blink malware using WildFire cloud-based malware prevention service. However, since the malware is built for 32-bit PowerPC computer architectures, it would not execute or cause damage to Linux endpoints with the Cortex XDR agent.

Cortex XDR in Customer Environments

Over the past few weeks, customers have contacted us to report their experiences testing or defending against recent attacks, and informing us that Cortex XDR successfully protected them against attacks, including wiper malware samples.

The Cortex XDR agent offers proven protection in AV-Comparative EPR testing with a multi-method protection approach that includes: technique-based exploit prevention, global threat intelligence, AI-driven local analysis, Behavioral Threat Protection, integration with WildFire malware prevention, anti-ransomware protection, and more. Cortex XDR also provides leading protection against advanced persistent threat groups such as APT 29 (also known as Cozy Bear), as demonstrated in the MITRE ATT&CK round 2 evaluation.

The Cortex XDR Behavioral Threat Protection and AI-driven local analysis capabilities block the vast majority of attacks linked to Russia and Ukraine cyber activity because they detect malware behavior by using behavioral rules and machine learning models that examine thousands of file characteristics together. They also provide stronger resistance to evasion techniques than signature or hash or other IOC-based detection when adversaries modify how the malware is delivered by recompiling the samples, changing the filenames, how it’s packaged, or other simple changes. As a result, Cortex XDR provides more resilient protection against these attacks as they evolve.

See our technical documentation to learn more about these and the rest of Cortex XDR’s multi-method protection capabilities. We will also discuss our latest protections against malware families like HermeticWiper in our Cortex XDR 3.2 customer webinar on March 15.

Conclusion

For Palo Alto Networks, our number one goal is to keep customers protected with the best technology and research. The Cortex XDR research team has collaborated with the Unit 42 threat research team to gather, analyze and share up-to-date intelligence about Ukraine and Russia. Both Cortex XDR researchers and our Unit 42 intel experts are monitoring the latest information from across our global network of threat intelligence and telemetry. We will continue to monitor the latest international cybersecurity activities to ensure our products and services provide our customers with the best protection available.

References:

https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/
https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/
https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/
/russia-ukraine-cyber-resources
https://register.paloaltonetworks.com/unit42briefingrussiaukraine