SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer2 (Back to overview)

INDUSTROYER2

Actor(s): Sandworm


There is no description at this point.

References
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-06-23splunkSplunk Threat Research Team
@online{team:20220623:threat:c75f097, author = {Splunk Threat Research Team}, title = {{Threat Update: Industroyer2}}, date = {2022-06-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html}, language = {English}, urldate = {2022-08-22} } Threat Update: Industroyer2
INDUSTROYER2
2022-05-31NOZOMI Network LabsGiannis Tsaraias, Ivan Speziale
@techreport{tsaraias:20220531:industroyer:67799a0, author = {Giannis Tsaraias and Ivan Speziale}, title = {{Industroyer vs. Industroyer2: Evolution of the IEC 104 Component}}, date = {2022-05-31}, institution = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf}, language = {English}, urldate = {2022-09-06} } Industroyer vs. Industroyer2: Evolution of the IEC 104 Component
INDUSTROYER2
2022-05-18ntopntop
@online{ntop:20220518:how:b94772c, author = {ntop}, title = {{How ntopng monitors IEC 60870-5-104 traffic}}, date = {2022-05-18}, organization = {ntop}, url = {https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/}, language = {English}, urldate = {2022-05-25} } How ntopng monitors IEC 60870-5-104 traffic
INDUSTROYER2
2022-05-12BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220512:threat:c711afc, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure}}, date = {2022-05-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure}, language = {English}, urldate = {2022-05-17} } Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure
INDUSTROYER2
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-27Nozomi NetworksNozomi Networks Labs
@online{labs:20220427:industroyer2:a037c0d, author = {Nozomi Networks Labs}, title = {{Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload}}, date = {2022-04-27}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/}, language = {English}, urldate = {2022-04-29} } Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
INDUSTROYER2
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-25NetresecErik Hjelmvik
@online{hjelmvik:20220425:industroyer2:ed9e211, author = {Erik Hjelmvik}, title = {{Industroyer2 IEC-104 Analysis}}, date = {2022-04-25}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis}, language = {English}, urldate = {2022-04-29} } Industroyer2 IEC-104 Analysis
INDUSTROYER2
2022-04-25MandiantDaniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker
@online{zafra:20220425:industroyerv2:5548d98, author = {Daniel Kapellmann Zafra and Raymond Leong and Chris Sistrunk and Ken Proska and Corey Hildebrandt and Keith Lunden and Nathan Brubaker}, title = {{INDUSTROYER.V2: Old Malware Learns New Tricks}}, date = {2022-04-25}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks}, language = {English}, urldate = {2022-04-29} } INDUSTROYER.V2: Old Malware Learns New Tricks
INDUSTROYER2
2022-04-23Stranded on Pylos BlogJoe Slowik
@online{slowik:20220423:industroyer2:c8064df, author = {Joe Slowik}, title = {{Industroyer2 in Perspective}}, date = {2022-04-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2022/04/23/industroyer2-in-perspective/}, language = {English}, urldate = {2022-04-25} } Industroyer2 in Perspective
INDUSTROYER2
2022-04-14SCADAfenceMaayan Fishelov
@online{fishelov:20220414:industroyer2:31408b6, author = {Maayan Fishelov}, title = {{Industroyer2: ICS Networks need to heighten vigilance - SCADAfence}}, date = {2022-04-14}, organization = {SCADAfence}, url = {https://blog.scadafence.com/industroyer2-attack}, language = {English}, urldate = {2022-05-25} } Industroyer2: ICS Networks need to heighten vigilance - SCADAfence
INDUSTROYER2
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
@online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
@online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_industroyer2_auto (20230125 | Detects win.industroyer2.)
rule win_industroyer2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.industroyer2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8945f8 8b4508 0fb68818000100 83f901 7505 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fb68818000100       | movzx               ecx, byte ptr [eax + 0x10018]
            //   83f901               | cmp                 ecx, 1
            //   7505                 | jne                 7

        $sequence_1 = { 6800100000 8b55fc 52 ff15???????? }
            // n = 4, score = 100
            //   6800100000           | push                0x1000
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     

        $sequence_2 = { b801000000 c1e002 8b4d08 0fb61401 81e2fe000000 }
            // n = 5, score = 100
            //   b801000000           | mov                 eax, 1
            //   c1e002               | shl                 eax, 2
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   0fb61401             | movzx               edx, byte ptr [ecx + eax]
            //   81e2fe000000         | and                 edx, 0xfe

        $sequence_3 = { 68???????? 8d4df4 e8???????? 8b4d08 e8???????? 8945fc 68???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   8d4df4               | lea                 ecx, [ebp - 0xc]
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   68????????           |                     

        $sequence_4 = { 837d0800 7e2b 8b4d08 c1e102 }
            // n = 4, score = 100
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7e2b                 | jle                 0x2d
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   c1e102               | shl                 ecx, 2

        $sequence_5 = { c745e800000000 837de0ff 7e0b 8b45e0 83c001 }
            // n = 5, score = 100
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   837de0ff             | cmp                 dword ptr [ebp - 0x20], -1
            //   7e0b                 | jle                 0xd
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   83c001               | add                 eax, 1

        $sequence_6 = { 8b4cd018 51 8b4dfc e8???????? 8b55f8 8b45fc }
            // n = 6, score = 100
            //   8b4cd018             | mov                 ecx, dword ptr [eax + edx*8 + 0x18]
            //   51                   | push                ecx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_7 = { e8???????? 8b4dec 89410c 8b55fc 83c201 8955fc }
            // n = 6, score = 100
            //   e8????????           |                     
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx

        $sequence_8 = { 7409 817dfc03010000 750c 6a01 }
            // n = 4, score = 100
            //   7409                 | je                  0xb
            //   817dfc03010000       | cmp                 dword ptr [ebp - 4], 0x103
            //   750c                 | jne                 0xe
            //   6a01                 | push                1

        $sequence_9 = { 0f84b5000000 807df803 0f840e010000 e9???????? 8b45fc }
            // n = 5, score = 100
            //   0f84b5000000         | je                  0xbb
            //   807df803             | cmp                 byte ptr [ebp - 8], 3
            //   0f840e010000         | je                  0x114
            //   e9????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

    condition:
        7 of them and filesize < 100352
}
[TLP:WHITE] win_industroyer2_w0   (20220905 | Industroyer2 malware targeting power grid components.)
// Created by Nozomi Networks Labs

rule win_industroyer2_w0 {
    meta:
        author = "Nozomi Networks Labs"
        name = "Industroyer2"
        description = "Industroyer2 malware targeting power grid components."
        actor = "Sandworm"
        source="https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf"
        hash = "D69665F56DDEF7AD4E71971F06432E59F1510A7194386E5F0E8926AEA7B88E00"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20220905"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220905"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "%02d:%lS" wide ascii
        $s2 = "PService_PPD.exe" wide ascii
        $s3 = "D:\\OIK\\DevCounter" wide ascii
        $s4 = "MSTR ->> SLV" fullword wide ascii
        $s5 = "MSTR <<- SLV" fullword wide ascii
        $s6 = "Current operation : %s"
        $s7 = "Switch value: %s"
        $s8 = "Unknown APDU format !!!"
        $s9 = "Length:%u bytes |"
        $s10 = "Sent=x%X | Received=x%X"
        $s11 = "ASDU:%u | OA:%u | IOA:%u |"
        $s12 = "Cause: %s (x%X) | Telegram type: %s (x%X)"

    condition:
        5 of them
}
Download all Yara Rules