UPDATE January 19: Updated Coverage section about the third malware that FortiGuard Labs has confirmed as a wiper malware..FortiGuard Labs is aware of a report that multiple organizations in the Ukraine were impacted by destructive malware. The malware looks to be some kind of ransomware at first glance; however, it does not have the telltale signs of ransomware. It overwrites the victim’s Master Boot Record (MBR) and files with specific file extensions without any recovery mechanism, which are enough to classify the malware as a destructive wiper malware.Why is this Significant?This is significant because the attack involves a wiper malware that destroys the victim’s MBR and certain files without any recovery mechanism.How Widespread is the Attack?At this point, the attack only affected multiple unnamed organizations in Ukraine.What the Details of the Attack?Initial attack vector has not yet been identified.This attack involves three malware.The first malware overwrites the victim’s Master Boot Record (MBR) which makes Windows OS unbootable and leaves a ransom note that reads below:Your hard drive has been corrupted.In case you want to recover all hard drivesof your organization,You should pay us $10k via bitcoin wallet1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message viatox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65with your organization name.We will contact you to give further instructions.The second malware simply downloads a wiper malware hosted on a Discord channel and executes it.The wiper malware searches for and overwrites files with the following file extensions on the victim’s machine:.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIPIt also changes the file extension of the affected file to a random four-byte extension.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against the malware involved:W32/KillMBR.NGI!trMSIL/Agent.FP!tr.dldrMSIL/Agent.QWILJV!trW32/KillFiles.NKU!tr.ransomMSIL/VVH!trThe following AV coverage is available for the the third malware which FortiGuard Labs has confirmed as a wiper malware: MSIL/Agent.VVH!tr
More Stories
chromium-125.0.6422.60-1.fc38
FEDORA-2024-3a548f46a8 Packages in this update: chromium-125.0.6422.60-1.fc38 Update description: update to 125.0.6422.60 * High CVE-2024-4947: Type Confusion in V8 * High...
chromium-125.0.6422.60-1.fc40
FEDORA-2024-c01c1f5f82 Packages in this update: chromium-125.0.6422.60-1.fc40 Update description: update to 125.0.6422.60 * High CVE-2024-4947: Type Confusion in V8 * High...
chromium-125.0.6422.60-1.fc39
FEDORA-2024-382a7dba53 Packages in this update: chromium-125.0.6422.60-1.fc39 Update description: update to 125.0.6422.60 * High CVE-2024-4947: Type Confusion in V8 * High...
dotnet7.0-7.0.119-1.fc38
FEDORA-2024-bdd75e525c Packages in this update: dotnet7.0-7.0.119-1.fc38 Update description: This is the May 2024 security update for .NET 7. This is...
dotnet7.0-7.0.119-1.fc39
FEDORA-2024-3136a71490 Packages in this update: dotnet7.0-7.0.119-1.fc39 Update description: This is the May 2024 security update for .NET 7. This is...
thunderbird-115.11.0-1.fc39
FEDORA-2024-5d7c339890 Packages in this update: thunderbird-115.11.0-1.fc39 Update description: Update to 115.11.0 https://www.mozilla.org/en-US/security/advisories/mfsa2024-23/ https://www.thunderbird.net/en-US/thunderbird/115.11.0/releasenotes/ Read More