- the Project inspired from German naval tactic
Wolfpackin WW2 ,The idea is to attack the target on convoys , the malware contain some shellcodes that created by pro-russian threat actors
- the malware target Ukraine by default you can choose other countries from the macro list in header file or create new one if it does not exist .
- It has to be run as Administrator in order to work in the next updates il make it escalate privilege by abusing some undocumented APIs , the shellcodes has been modified for this task so they get executed from the very beginning.
- after running this malware the recovery will be impossible
- in the first the program will Retrieves your geographical location using GetUserGeoID and compare it with
UKRif the comparation evaluate to TRUE then it will Set the process as critical using undocumented API RtlSetProcessIsCritical and jump to stage 2
-
RtlSetProcessIsCritical makes the process critical, any attempt to terminate it will BSOD the system (Blue Screen of Death) , although it can be bypassed easily using NtSetInformationProcess by injecting a DLL into it , i made PoC of it check it out from here BypassRtlSetProcessIsCritical
-
before doing any malicious activity ive used a technique to hide control flow using Exception Handlers , We register an exception handler (structured or vectored) which raises another exception which is passed to the next handler which raises the next exception, and so on. Finally, the sequence of handlers should lead to the procedure that we wanted to hide.
Loadinggraph TD; L1-->L2; L2-->L3; L3-->ENTRY;
-
C/C++ Code
void LABEL1()
{
__try
{
__asm int 3;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
LABEL2();
}
}
void LABEL3()
{
__try
{
__asm int 3;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
MaliciousEntry();
}
}
void LABEL2()
{
__try
{
__asm int 3;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
LABEL3();
}
}
- the program will Retrieves a handle to Resources that contain our shellcodes in memory then put them in array of HGLOBAL .
- then it will injecting the first 2 wipers in other processes using Process Injection technique the first 2 shellcodes will not only overwrite the MBR, but goes further: walking through many structures of the filesystem and corrupting all of them, also Disable VSS if enabled and overwrite individual files with random data using EaseUS Partition Manager Drivers
-
OpenProcess API
Opens an existing local process object and return an open handle to the specified process.****
Parameters
[in] dwDesiredAccessThe access to the process object. This access right is checked against the security descriptor for the process. This parameter can be one or more of the process access rights.
If the caller has enabled the SeDebugPrivilege privilege, the requested access is granted regardless of the contents of the security descriptor.
[in] bInheritHandleIf this value is TRUE, processes created by this process will inherit the handle. Otherwise, the processes do not inherit this handle.
[in] dwProcessIdThe identifier of the local process to be opened.
If the specified process is the System Idle Process (0x00000000), the function fails and the last error code is
ERROR_INVALID_PARAMETER. If the specified process is the System process or one of the Client Server Run-Time Subsystem (CSRSS) processes, this function fails and the last error code isERROR_ACCESS_DENIEDbecause their access restrictions prevent user-level code from opening them.If you are using GetCurrentProcessId as an argument to this function, consider using GetCurrentProcess instead of OpenProcess, for improved performance.
-
VirtualAllocEx API
Reserves a region of memory within the virtual address space of a specified process, The function initializes the memory it allocates to zero and return the base address of the allocated memory .
-
WriteProcessMemory API
Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.****
-
CreateRemoteThread API
Creates a thread that runs in the virtual address space of another process and return a handle to the new thread.
- the second wave of the 3 shellcodes that will be injected using Thread-Hijack technique first one of them will iterate through all folders and files residing on local fixed drives and verifying that they are not whitelisted. then compares subkeys located within the wht configuration key to the folder name or file extension , the remaining shellcodes will do same job as the first wave
- Thread Hijacking is similar to the previous technique but ****instead of creating new remote thread it hijack an existing one
- if an error or the injection failed during the injection parts the program will trigger KamiKaze Function basically the program will inject itself with the shellcodes then exit continue to know what will happen when the exit function called .
- when the program exit meaning the system will crash with error code
CRITICAL_PROCESS_DIEDcause the process already set to critical .
-
the combination of fragmentation and wiping and encrypting of required structures and files
would be enough to makerecovery almost impossible.
-
Message shown after rebooting the system