Rewterz Threat Alert – DoubleZero Wiper – Active IOCs

Severity

High

Analysis Summary

Threat actors recently launched another attack on Ukraine where a wiper was used to overwrite files and and destroy the infected systems. A file called “Virus … extremely dangerous !!!. Zip” was used to attack the victim systems and was found in the archives. The malicious destructor program was dubbed DoubleZero. It uses two methods to wipe files:

• Overwriting files with zero blocks of 4096 bytes (FileStream.Write method)
• Using API-calls NtFileOpen, NtFsControlFile

First, all non-system files on all disks are overwritten. After that the list of system files on a mask is made, their sorting and the subsequent rewriting in the corresponding sequence is carried out. The following branches of the Windows registry are destroyed: HKCU, HKU, HKLM, HKLM \ BCD. Finally, the computer shuts down. As described in the advisory by CERT-UA

Impact

• Data Loss
• File Encryption
• Financial Loss

Indicators of Compromise

Filename

• Virus[.][.][.]extremelydangerous!!![.]zip
• csrss[.]zip
• cpcrs[.]exe
• csrss[.]exe

MD5

• 36dc2a5bab2665c88ce407d270954d04
• 989c5de8ce5ca07cc2903098031c7134
• 7d20fa01a703afa8907e50417d27b0a4
• b4f0ca61ab0c55a542f32bd4e66a7dc2

SHA-256

• d897f07ae6f42de8f35e2b05f5ef5733d7ec599d5e786d3225e66ca605a48f53
• 8dd8b9bd94de1e72f0c400c5f32dcefc114cc0a5bf14b74ba6edc19fd4aeb2a5
• 3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe
• 30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a

SHA1

• b658bc902fa8b47475271b5802428d39b4e3297b
• 73581818a30d3fb3e1f9e37de0c3eb55bfc0c236
• 320116162d78afb8e00fd972591479a899d3dfee
• 43b3d5ffae55116c68c504339c5d953ca25c0e3f

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.