GTsST Iron Viking AWFULSHRED
Iron Viking/Sandworm Team were able to deploy a worm that spread across the Ukranian critical infrastructure. This worm had a sole goal of wiping these machines. It didn't make it far due to it's spreading method. However it is very powerful in nature.

TTP Tuesday: GTsST: Iron Viking

Linux SSH worm and wiper

Theme Overview

Our last release for GTsST we looked at GTsST: Sandworm TeamThat chain highlighted both a privilege escalation and persistence technique.

For this week’s TTP Tuesday, we’re releasing a new GTsST themed chain centered around Iron Viking in cooperation with Sandworm, both sub teams of GTsST, and their destructive attack against Ukraine on April 8th, 2022. This attack was split into two, one on the IT network and the other on the ICS network. We focused on the IT Network attack which consisted of AWFULSHRED, ORCSHRED, and SOLOSHRED. AWFULSHRED is a Linux worm that installs either ORCSHRED or SOLOSHRED. The main difference between the two is the operating system.

Intentions

As we know, GTsST is a destructive APT group. They tend to attempt highly destructive malware with no hopes of exfiltrating data or ransoming their victims. This was no different, as this attack was a Linux worm with its main purpose of being a wiper. The machines would be wiped in order to cause disruptions to the Ukrainian defensive cyber teams especially during a time of war against Russia.

SSH Worm

The Iron Viking team constructed an SSH worm. This worm had multiple parts. First, it checks if the script was run with the "owner" flag. If the owner flag exists, then it won't infect the current machine and will instead attempt to spread right away using SSH credentials that ESET and CERT-UA believed they had prior to the attack. In the Prelude developed chain, we decided against a word list and instead we will enumerate the machine for SSH keys and spread the worm using those specific keys. This proves to be more impactful as most networks disable password authentication and use private-key authentication instead.

Wiper

After infecting the machine, we deploy the original defanged wiper used by GTsST. This wiper goes by the name ORCSHRED and is lightly obfuscated. Many variables and values are replaced with meaningless 8-character values. The script ultimately destroys the drives using the `shred` utility or `dd` if shred is not available. If there are multiple drives it will run in parallel. Depending on the size, it may take hours for the full disk to be completely erased. To render the system inoperable faster, it first tries to stop and disable HTTP and SSH services then proceeds with the wiping the drives.

Impact

Ukraine is once again at the center of cyberattacks targeting their critical infrastructure. Ukraine has suffered multiple waves of wipers that have been targeting various sectors. ESET and CERT-UA will continue to monitor for more activity as this is a major attack against critical infrastructure.

Thanks for reading!

Watch a demonstration: GTsST IronViking AWFULSHRED.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VV_X_7
Sam: wasupwithuman

Source: https://feed.prelude.org

Execute this chain

Download Operator (1.6.0)
Learn about Operator

TTPs

Check if machine has already been infected
Stage Wiper
Schedule Wiper Execution
Enumerate ssh keys
Determine network interface configuration tool
Network scan for available machines
Generate a random name for agent
Spread worm using private keys found on the machine.
Queue chain on infected machines

Tags

destructive