INDUSTROYER2 (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.industroyer2 (Back to overview)

INDUSTROYER2

Actor(s): Sandworm

VTCollection

There is no description at this point.

References

2024-04-16 ⋅ Mandiant ⋅ Alden Wahlstrom, Anton Prokopenkov, Dan Black, Dan Perez, Gabby Roncone, John Wolfram, Lexie Aytes, Nick Simonian, Ryan Hall, Tyler McLellan
APT44: Unearthing Sandworm
VPNFilter BlackEnergy CaddyWiper EternalPetya HermeticWiper Industroyer INDUSTROYER2 Olympic Destroyer PartyTicket RoarBAT Sandworm

2024-04-15 ⋅ UC Santa Cruz ⋅ Alonso Rojas, Alvaro A. Cardenas, Bing Huang, Emmanuele Zambon, Juan Lozano, Keerthi Koneru, Luis Salazar, Marina Krotofil, Ross Baldick, Sebastian R. Castro
A Tale of Two Industroyers: It was the Season of Darkness
Industroyer INDUSTROYER2

2023-07-12 ⋅ Mandiant ⋅ Dan Black, Gabby Roncone
The GRU's Disruptive Playbook
CaddyWiper INDUSTROYER2 XakNet

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate

2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla

2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate

2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk
Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket

2022-06-23 ⋅ splunk ⋅ Splunk Threat Research Team
Threat Update: Industroyer2
INDUSTROYER2

2022-05-31 ⋅ NOZOMI Network Labs ⋅ Giannis Tsaraias, Ivan Speziale
Industroyer vs. Industroyer2: Evolution of the IEC 104 Component
INDUSTROYER2

2022-05-18 ⋅ ntop ⋅ ntop
How ntopng monitors IEC 60870-5-104 traffic
INDUSTROYER2

2022-05-12 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure
INDUSTROYER2

2022-05-02 ⋅ AT&T ⋅ Fernando Martinez
Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper

2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate

2022-04-27 ⋅ Nozomi Networks ⋅ Nozomi Networks Labs
Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
INDUSTROYER2

2022-04-25 ⋅ Netresec ⋅ Erik Hjelmvik
Industroyer2 IEC-104 Analysis
INDUSTROYER2

2022-04-25 ⋅ Mandiant ⋅ Chris Sistrunk, Corey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker, Raymond Leong
INDUSTROYER.V2: Old Malware Learns New Tricks
INDUSTROYER2

2022-04-23 ⋅ Stranded on Pylos Blog ⋅ Joe Slowik
Industroyer2 in Perspective
INDUSTROYER2

2022-04-14 ⋅ SCADAfence ⋅ Maayan Fishelov
Industroyer2: ICS Networks need to heighten vigilance - SCADAfence
INDUSTROYER2

2022-04-12 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2

2022-04-12 ⋅ Twitter (@silascutler) ⋅ Silas Cutler
Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Ireland
Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2

2022-04-12 ⋅ ESET Research ⋅ ESET Research
Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2

2022-02-28 ⋅ Microsoft ⋅ MSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586

Yara Rules

[TLP:WHITE] win_industroyer2_auto (20241030 | Detects win.industroyer2.)

rule win_industroyer2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.industroyer2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 55 8bec 83ec08 837d0800 7504 33c0 eb29 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec08               | sub                 esp, 8
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax
            //   eb29                 | jmp                 0x2b

        $sequence_1 = { 051d000100 50 68???????? e8???????? }
            // n = 4, score = 100
            //   051d000100           | add                 eax, 0x1001d
            //   50                   | push                eax
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_2 = { 8b45fc 837c901000 7425 8b4dfc 8b5108 8b45fc }
            // n = 6, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   837c901000           | cmp                 dword ptr [eax + edx*4 + 0x10], 0
            //   7425                 | je                  0x27
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_3 = { 51 e8???????? 8845ff 8b55f8 52 }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8845ff               | mov                 byte ptr [ebp - 1], al
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   52                   | push                edx

        $sequence_4 = { 8b4dec 89410c 8b55fc 83c201 8955fc eb0e c745e804680000 }
            // n = 7, score = 100
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   89410c               | mov                 dword ptr [ecx + 0xc], eax
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c201               | add                 edx, 1
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   eb0e                 | jmp                 0x10
            //   c745e804680000       | mov                 dword ptr [ebp - 0x18], 0x6804

        $sequence_5 = { 8b4df8 83e140 7540 e8???????? 8bc8 e8???????? }
            // n = 6, score = 100
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   83e140               | and                 ecx, 0x40
            //   7540                 | jne                 0x42
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     

        $sequence_6 = { 8b4df0 51 ff15???????? 85c0 7406 c645ff01 eb04 }
            // n = 7, score = 100
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7406                 | je                  8
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   eb04                 | jmp                 6

        $sequence_7 = { 83ba600d010000 7e41 e8???????? 8bc8 e8???????? 68b3680000 8b4508 }
            // n = 7, score = 100
            //   83ba600d010000       | cmp                 dword ptr [edx + 0x10d60], 0
            //   7e41                 | jle                 0x43
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   68b3680000           | push                0x68b3
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_8 = { 51 ff15???????? 8b85dcfeffff eb21 8d95d4feffff }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8b85dcfeffff         | mov                 eax, dword ptr [ebp - 0x124]
            //   eb21                 | jmp                 0x23
            //   8d95d4feffff         | lea                 edx, [ebp - 0x12c]

        $sequence_9 = { c745ecffffffff eb15 8b450c c6801800010001 }
            // n = 4, score = 100
            //   c745ecffffffff       | mov                 dword ptr [ebp - 0x14], 0xffffffff
            //   eb15                 | jmp                 0x17
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   c6801800010001       | mov                 byte ptr [eax + 0x10018], 1

    condition:
        7 of them and filesize < 100352
}

[TLP:WHITE] win_industroyer2_w0 (20220905 | Industroyer2 malware targeting power grid components.)

// Created by Nozomi Networks Labs

rule win_industroyer2_w0 {
    meta:
        author = "Nozomi Networks Labs"
        name = "Industroyer2"
        description = "Industroyer2 malware targeting power grid components."
        actor = "Sandworm"
        source="https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf"
        hash = "D69665F56DDEF7AD4E71971F06432E59F1510A7194386E5F0E8926AEA7B88E00"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20220905"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220905"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "%02d:%lS" wide ascii
        $s2 = "PService_PPD.exe" wide ascii
        $s3 = "D:\\OIK\\DevCounter" wide ascii
        $s4 = "MSTR ->> SLV" fullword wide ascii
        $s5 = "MSTR <<- SLV" fullword wide ascii
        $s6 = "Current operation : %s"
        $s7 = "Switch value: %s"
        $s8 = "Unknown APDU format !!!"
        $s9 = "Length:%u bytes |"
        $s10 = "Sent=x%X | Received=x%X"
        $s11 = "ASDU:%u | OA:%u | IOA:%u |"
        $s12 = "Cause: %s (x%X) | Telegram type: %s (x%X)"

    condition:
        5 of them
}

Download all Yara Rules

INDUSTROYER2 Propose Change

References

Yara Rules

INDUSTROYER2