Our last release for GTsST we looked at GTsST: Sandworm TeamThat chain highlighted both a privilege escalation and persistence technique.
For this week’s TTP Tuesday, we’re releasing a new GTsST themed chain centered around Iron Viking in cooperation with Sandworm, both sub teams of GTsST, and their destructive attack against Ukraine on April 8th, 2022. This attack was split into two, one on the IT network and the other on the ICS network. We focused on the IT Network attack which consisted of AWFULSHRED, ORCSHRED, and SOLOSHRED. AWFULSHRED is a Linux worm that installs either ORCSHRED or SOLOSHRED. The main difference between the two is the operating system.
As we know, GTsST is a destructive APT group. They tend to attempt highly destructive malware with no hopes of exfiltrating data or ransoming their victims. This was no different, as this attack was a Linux worm with its main purpose of being a wiper. The machines would be wiped in order to cause disruptions to the Ukrainian defensive cyber teams especially during a time of war against Russia.
The Iron Viking team constructed an SSH worm. This worm had multiple parts. First, it checks if the script was run with the "owner" flag. If the owner flag exists, then it won't infect the current machine and will instead attempt to spread right away using SSH credentials that ESET and CERT-UA believed they had prior to the attack. In the Prelude developed chain, we decided against a word list and instead we will enumerate the machine for SSH keys and spread the worm using those specific keys. This proves to be more impactful as most networks disable password authentication and use private-key authentication instead.
After infecting the machine, we deploy the original defanged wiper used by GTsST. This wiper goes by the name ORCSHRED and is lightly obfuscated. Many variables and values are replaced with meaningless 8-character values. The script ultimately destroys the drives using the
shred utility or
dd if shred is not available. If there are multiple drives it will run in parallel. Depending on the size, it may take hours for the full disk to be completely erased. To render the system inoperable faster, it first tries to stop and disable HTTP and SSH services then proceeds with the wiping the drives.
Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. Ukraine has suffered multiple waves of wipers that have been targeting various sectors. ESET and CERT-UA will continue to monitor for more activity as this is a major attack against critical infrastructure.
Thanks for reading!
Watch a demonstration: GTsST IronViking AWFULSHRED.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg