Happy Monday Everyone!
Researchers at Cisco Talos "observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling “#PathWiper”". The article states "The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, that was then used to issue malicious commands and deploy PathWiper across connected endpoints".
The researchers also provided technical details, some IOCs, capabilities of the wiper, and some hints at behaviors. In this incident a batch (BAT) file was dropped on the compromised machine and ran a command that leveraged WScript.exe to execute a VBScript (uacinstall.vbs) from the C:\Windows\Temp\ directory. After the execution, the PathWiper executable appears in the C:\Windows\Temp\ directory with the name of "sha256sum.exe". So assuming this is how the malware or actor operates, you can hunt for new scripting files or executables in the C:\Windows\Temp directory. Now this is not a fool proof method as behaviors can change, but it could be a great start when hunting for this threat! Thank you to the researchers and I hope you enjoy the article! Happy Hunting!
Newly identified wiper malware “PathWiper” targets critical infrastructure in Ukraine
https://blog.talosintelligence.com/pathwiper-targets-ukraine/
Intel 471 Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
