Ukrainian Cybersecurity Firm Warns About New NotPetya Attack
« Back to Blog

Ukrainian Cybersecurity Firm Warns About New NotPetya Attack

By Kim Crawley

It's now well understood that NotPetya was designed to wreck havoc upon Ukrainian networks. It's an attack that Cylance customers have been protected from since 2015, but June's NotPetya outbreak spread outside of Ukraine to do damage in the hundreds of millions to billions of dollars to international companies. It was reported recently that international shipping giant Maersk alone took a huge financial hit.

"In the last week of the quarter we were hit by a cyber attack, which mainly impacted Maersk Line, APM Terminals and Damco. Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber attack will impact results negatively by USD 200-300 million,” said Maersk CEO Soren Skou.

Cybersecurity experts suspect that the Russian military is using Ukraine as a testing ground for international cyber attacks. So when Ukrainian cybersecurity firms and institutions warn of impending cyber threats, the world should be listening.

The National Bank of Ukraine recently spotted signs of a looming malware threat with vague details in a letter sent to Reuters.

“The nature of this malicious code, its mass distribution, and the fact that at the time of its distribution it was not detected by any antivirus software, suggest that this attack is preparation for a mass cyber attack on the corporate networks of Ukrainian businesses,” the letter said.

The Bank isn't taking Russian cyber threats lying down. They're busy beefing up their cyber defenses.

“The NBU (National Bank of Ukraine) is involved in efforts to establish the NBU Computer Security Incident Response Team (CSIRT-NBU) to respond promptly to cyber incidents and share information in real time with all the banking sector participants and law enforcement agencies,” they said to Bank Info Security.

NotPetya – a (Re)Emerging Malware Threat

On August 22, Ukraine's Information Systems Security Partners broke much more specific news of an emerging malware threat. They shared the details of their discovery in a publicly available report. The file sample they acquired is named ‘док.zip,’ which contains JavaScript code that triggers a download of a malicious file titled ‘load.exe’ and executes it in a Windows environment. The malware is hosted on the website for accounting software developer Crystal Finance Millennium.

This attack features a striking similarity to NotPetya. NotPetya transmission originated with financial software developer MeDoc. They operate in the same industry and country as Crystal Finance Millennium. Plus the malware recently discovered by Information Systems Security Partners targets Windows, just as NotPetya did.

Information Systems Security Partners (ISSP) shared no information about how ‘док.zip’ is distributed. One possible method of distribution is email attachments. It's incredibly important to train your employees to avoid opening email attachments from new email addresses, I cannot stress that enough. ISSP does believe that Crystal Finance Millennium is an innocent victim; the attacker must have exploited vulnerabilities on their website to upload the ‘load.exe’ malware to their web server.

ISSP's sample analysis explains how ‘load.exe’ behaves:

Upon execution, ‘load.exe’ migrates to ‘explorer.exe’ as a process in suspended mode. The new process copies the file at ‘C:\Users\%user name%\AppData\Roaming\Microsoft\fbufwrbe\siaeesws.exe.’ Then an autorun file is created which exists at this registry location: ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jack1024.’

That autorun file writes a path to a newly created file at this location: ‘C:\Users\%user_name%\AppData\Roaming\Microsoft\fbufwrbe\siaeesws.exe.’ Eventually, a configuration block is found in the ‘load.exe’ tampered ‘explorer.exe files’ memory stack, which contains a link to a dangerous command and control (C&C) server online.

Figures 1 and 2 below detail their findings:

Figure 1

Figure 2

As these new malware attacks which target Ukraine inevitably spread worldwide, the international cybersecurity community should be grateful for the hard work of Ukrainian cybersecurity professionals at firms like ISSP and the NBU.

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.

Tags: