SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer2 (Back to overview)

INDUSTROYER2

Actor(s): Sandworm

There is no description at this point.

References
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-06-23splunkSplunk Threat Research Team
@online{team:20220623:threat:c75f097, author = {Splunk Threat Research Team}, title = {{Threat Update: Industroyer2}}, date = {2022-06-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html}, language = {English}, urldate = {2022-08-22} } Threat Update: Industroyer2
INDUSTROYER2
2022-05-31NOZOMI Network LabsGiannis Tsaraias, Ivan Speziale
@techreport{tsaraias:20220531:industroyer:67799a0, author = {Giannis Tsaraias and Ivan Speziale}, title = {{Industroyer vs. Industroyer2: Evolution of the IEC 104 Component}}, date = {2022-05-31}, institution = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf}, language = {English}, urldate = {2022-09-06} } Industroyer vs. Industroyer2: Evolution of the IEC 104 Component
INDUSTROYER2
2022-05-18ntopntop
@online{ntop:20220518:how:b94772c, author = {ntop}, title = {{How ntopng monitors IEC 60870-5-104 traffic}}, date = {2022-05-18}, organization = {ntop}, url = {https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/}, language = {English}, urldate = {2022-05-25} } How ntopng monitors IEC 60870-5-104 traffic
INDUSTROYER2
2022-05-12BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220512:threat:c711afc, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure}}, date = {2022-05-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure}, language = {English}, urldate = {2022-05-17} } Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure
INDUSTROYER2
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-27Nozomi NetworksNozomi Networks Labs
@online{labs:20220427:industroyer2:a037c0d, author = {Nozomi Networks Labs}, title = {{Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload}}, date = {2022-04-27}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/}, language = {English}, urldate = {2022-04-29} } Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
INDUSTROYER2
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-25NetresecErik Hjelmvik
@online{hjelmvik:20220425:industroyer2:ed9e211, author = {Erik Hjelmvik}, title = {{Industroyer2 IEC-104 Analysis}}, date = {2022-04-25}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis}, language = {English}, urldate = {2022-04-29} } Industroyer2 IEC-104 Analysis
INDUSTROYER2
2022-04-25MandiantDaniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker
@online{zafra:20220425:industroyerv2:5548d98, author = {Daniel Kapellmann Zafra and Raymond Leong and Chris Sistrunk and Ken Proska and Corey Hildebrandt and Keith Lunden and Nathan Brubaker}, title = {{INDUSTROYER.V2: Old Malware Learns New Tricks}}, date = {2022-04-25}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks}, language = {English}, urldate = {2022-04-29} } INDUSTROYER.V2: Old Malware Learns New Tricks
INDUSTROYER2
2022-04-23Stranded on Pylos BlogJoe Slowik
@online{slowik:20220423:industroyer2:c8064df, author = {Joe Slowik}, title = {{Industroyer2 in Perspective}}, date = {2022-04-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2022/04/23/industroyer2-in-perspective/}, language = {English}, urldate = {2022-04-25} } Industroyer2 in Perspective
INDUSTROYER2
2022-04-14SCADAfenceMaayan Fishelov
@online{fishelov:20220414:industroyer2:31408b6, author = {Maayan Fishelov}, title = {{Industroyer2: ICS Networks need to heighten vigilance - SCADAfence}}, date = {2022-04-14}, organization = {SCADAfence}, url = {https://blog.scadafence.com/industroyer2-attack}, language = {English}, urldate = {2022-05-25} } Industroyer2: ICS Networks need to heighten vigilance - SCADAfence
INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
@online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
@online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_industroyer2_auto (20220808 | Detects win.industroyer2.)
rule win_industroyer2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.industroyer2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55fc 8b4204 88480c 0fb64d20 83f92e 7542 }
            // n = 6, score = 100
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   88480c               | mov                 byte ptr [eax + 0xc], cl
            //   0fb64d20             | movzx               ecx, byte ptr [ebp + 0x20]
            //   83f92e               | cmp                 ecx, 0x2e
            //   7542                 | jne                 0x44

        $sequence_1 = { 7307 33c0 e9???????? 8b55f4 3b55e8 0f83ac000000 }
            // n = 6, score = 100
            //   7307                 | jae                 9
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   3b55e8               | cmp                 edx, dword ptr [ebp - 0x18]
            //   0f83ac000000         | jae                 0xb2

        $sequence_2 = { 8b55a0 52 e8???????? 8b4dec 89410c 8b55fc 83c201 }
            // n = 7, score = 100
            //   8b55a0               | mov                 edx, dword ptr [ebp - 0x60]
            //   52                   | push                edx
            //   e8????????           |                     
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1

        $sequence_3 = { 747e 6a00 6a00 8b450c 50 }
            // n = 5, score = 100
            //   747e                 | je                  0x80
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax

        $sequence_4 = { 0fb64205 83c002 50 68???????? e8???????? 50 }
            // n = 6, score = 100
            //   0fb64205             | movzx               eax, byte ptr [edx + 5]
            //   83c002               | add                 eax, 2
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     
            //   50                   | push                eax

        $sequence_5 = { 8b4d18 81c11d000100 51 68???????? e8???????? }
            // n = 5, score = 100
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   81c11d000100         | add                 ecx, 0x1001d
            //   51                   | push                ecx
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_6 = { 8b44c114 8b4df8 8b75fc 8954ce18 8944ce1c c745e800000000 c745ec00000000 }
            // n = 7, score = 100
            //   8b44c114             | mov                 eax, dword ptr [ecx + eax*8 + 0x14]
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   8954ce18             | mov                 dword ptr [esi + ecx*8 + 0x18], edx
            //   8944ce1c             | mov                 dword ptr [esi + ecx*8 + 0x1c], eax
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0

        $sequence_7 = { 8b45f8 8b4d0c 8a1411 889405e8feffff ebcd 6a08 e8???????? }
            // n = 7, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   8a1411               | mov                 dl, byte ptr [ecx + edx]
            //   889405e8feffff       | mov                 byte ptr [ebp + eax - 0x118], dl
            //   ebcd                 | jmp                 0xffffffcf
            //   6a08                 | push                8
            //   e8????????           |                     

        $sequence_8 = { e9???????? 837d0800 740e 837d1000 7408 8b4d0c }
            // n = 6, score = 100
            //   e9????????           |                     
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   740e                 | je                  0x10
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7408                 | je                  0xa
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_9 = { 8b45d8 99 f7790c 85d2 7514 }
            // n = 5, score = 100
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   99                   | cdq                 
            //   f7790c               | idiv                dword ptr [ecx + 0xc]
            //   85d2                 | test                edx, edx
            //   7514                 | jne                 0x16

    condition:
        7 of them and filesize < 100352
}
[TLP:WHITE] win_industroyer2_w0   (20220905 | Industroyer2 malware targeting power grid components.)
// Created by Nozomi Networks Labs

rule win_industroyer2_w0 {
    meta:
        author = "Nozomi Networks Labs"
        name = "Industroyer2"
        description = "Industroyer2 malware targeting power grid components."
        actor = "Sandworm"
        source="https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf"
        hash = "D69665F56DDEF7AD4E71971F06432E59F1510A7194386E5F0E8926AEA7B88E00"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20220905"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220905"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "%02d:%lS" wide ascii
        $s2 = "PService_PPD.exe" wide ascii
        $s3 = "D:\\OIK\\DevCounter" wide ascii
        $s4 = "MSTR ->> SLV" fullword wide ascii
        $s5 = "MSTR <<- SLV" fullword wide ascii
        $s6 = "Current operation : %s"
        $s7 = "Switch value: %s"
        $s8 = "Unknown APDU format !!!"
        $s9 = "Length:%u bytes |"
        $s10 = "Sent=x%X | Received=x%X"
        $s11 = "ASDU:%u | OA:%u | IOA:%u |"
        $s12 = "Cause: %s (x%X) | Telegram type: %s (x%X)"

    condition:
        5 of them
}
Download all Yara Rules