SYMBOLCOMMON_NAMEaka. SYNONYMS
win.industroyer2 (Back to overview)

INDUSTROYER2

Actor(s): Sandworm

There is no description at this point.

References
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-15MicrosoftMicrosoft Threat Intelligence
@techreport{intelligence:20230315:year:01e29b1, author = {Microsoft Threat Intelligence}, title = {{A year of Russian hybrid warfare in Ukraine}}, date = {2023-03-15}, institution = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf}, language = {English}, urldate = {2023-04-25} } A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
@techreport{group:20230215:fog:0d99aaa, author = {Google Threat Analysis Group and Mandiant}, title = {{Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape}}, date = {2023-02-15}, institution = {Google}, url = {https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf}, language = {English}, urldate = {2023-03-13} } Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
@online{adamov:20221024:russian:97d3e2a, author = {Alexander Adamov}, title = {{Russian wipers in the cyberwar against Ukraine}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=mrTdSdMMgnk}, language = {English}, urldate = {2023-03-20} } Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-06-23splunkSplunk Threat Research Team
@online{team:20220623:threat:c75f097, author = {Splunk Threat Research Team}, title = {{Threat Update: Industroyer2}}, date = {2022-06-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html}, language = {English}, urldate = {2022-08-22} } Threat Update: Industroyer2
INDUSTROYER2
2022-05-31NOZOMI Network LabsGiannis Tsaraias, Ivan Speziale
@techreport{tsaraias:20220531:industroyer:67799a0, author = {Giannis Tsaraias and Ivan Speziale}, title = {{Industroyer vs. Industroyer2: Evolution of the IEC 104 Component}}, date = {2022-05-31}, institution = {NOZOMI Network Labs}, url = {https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf}, language = {English}, urldate = {2022-09-06} } Industroyer vs. Industroyer2: Evolution of the IEC 104 Component
INDUSTROYER2
2022-05-18ntopntop
@online{ntop:20220518:how:b94772c, author = {ntop}, title = {{How ntopng monitors IEC 60870-5-104 traffic}}, date = {2022-05-18}, organization = {ntop}, url = {https://www.ntop.org/cybersecurity/how-ntopng-monitors-iec-60870-5-104-traffic/}, language = {English}, urldate = {2022-05-25} } How ntopng monitors IEC 60870-5-104 traffic
INDUSTROYER2
2022-05-12BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220512:threat:c711afc, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure}}, date = {2022-05-12}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/threat-thursday-malware-rebooted-how-industroyer2-takes-aim-at-ukraine-infrastructure}, language = {English}, urldate = {2022-05-17} } Threat Thursday: Malware Rebooted - How Industroyer2 Takes Aim at Ukraine Infrastructure
INDUSTROYER2
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-27Nozomi NetworksNozomi Networks Labs
@online{labs:20220427:industroyer2:a037c0d, author = {Nozomi Networks Labs}, title = {{Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload}}, date = {2022-04-27}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/industroyer2-nozomi-networks-labs-analyzes-the-iec-104-payload/}, language = {English}, urldate = {2022-04-29} } Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload
INDUSTROYER2
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-25MandiantDaniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker
@online{zafra:20220425:industroyerv2:5548d98, author = {Daniel Kapellmann Zafra and Raymond Leong and Chris Sistrunk and Ken Proska and Corey Hildebrandt and Keith Lunden and Nathan Brubaker}, title = {{INDUSTROYER.V2: Old Malware Learns New Tricks}}, date = {2022-04-25}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/industroyer-v2-old-malware-new-tricks}, language = {English}, urldate = {2022-04-29} } INDUSTROYER.V2: Old Malware Learns New Tricks
INDUSTROYER2
2022-04-25NetresecErik Hjelmvik
@online{hjelmvik:20220425:industroyer2:ed9e211, author = {Erik Hjelmvik}, title = {{Industroyer2 IEC-104 Analysis}}, date = {2022-04-25}, organization = {Netresec}, url = {https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis}, language = {English}, urldate = {2022-04-29} } Industroyer2 IEC-104 Analysis
INDUSTROYER2
2022-04-23Stranded on Pylos BlogJoe Slowik
@online{slowik:20220423:industroyer2:c8064df, author = {Joe Slowik}, title = {{Industroyer2 in Perspective}}, date = {2022-04-23}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2022/04/23/industroyer2-in-perspective/}, language = {English}, urldate = {2022-04-25} } Industroyer2 in Perspective
INDUSTROYER2
2022-04-14SCADAfenceMaayan Fishelov
@online{fishelov:20220414:industroyer2:31408b6, author = {Maayan Fishelov}, title = {{Industroyer2: ICS Networks need to heighten vigilance - SCADAfence}}, date = {2022-04-14}, organization = {SCADAfence}, url = {https://blog.scadafence.com/industroyer2-attack}, language = {English}, urldate = {2022-05-25} } Industroyer2: ICS Networks need to heighten vigilance - SCADAfence
INDUSTROYER2
2022-04-12Cert-UACert-UA
@online{certua:20220412:cyberattack:5f28c75, author = {Cert-UA}, title = {{Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)}}, date = {2022-04-12}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/39518}, language = {Ukrainian}, urldate = {2022-05-25} } Cyberattack of Sandworm Group (UAC-0082) on energy facilities of Ukraine using malicious programs INDUSTROYER2 and CADDYWIPER (CERT-UA # 4435)
CaddyWiper Industroyer INDUSTROYER2
2022-04-12Twitter (@silascutler)Silas Cutler
@online{cutler:20220412:analysis:561c2a2, author = {Silas Cutler}, title = {{Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2}}, date = {2022-04-12}, organization = {Twitter (@silascutler)}, url = {https://twitter.com/silascutler/status/1513870210398363651}, language = {English}, urldate = {2022-05-25} } Tweet on analysis of CADDYWIPER used alongside with INDUSTROYER2
CaddyWiper INDUSTROYER2
2022-04-12ESET ResearchESET Research
@online{research:20220412:industroyer2:4d6c5f8, author = {ESET Research}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-04-13} } Industroyer2: Industroyer reloaded
ArguePatch CaddyWiper Industroyer INDUSTROYER2
2022-04-12ESET ResearchESET Ireland
@online{ireland:20220412:industroyer2:aa61be3, author = {ESET Ireland}, title = {{Industroyer2: Industroyer reloaded}}, date = {2022-04-12}, organization = {ESET Research}, url = {https://blog.eset.ie/2022/04/12/industroyer2-industroyer-reloaded/}, language = {English}, urldate = {2022-05-04} } Industroyer2: Industroyer reloaded
CaddyWiper INDUSTROYER2
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_industroyer2_auto (20230407 | Detects win.industroyer2.)
rule win_industroyer2_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.industroyer2."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0355fc 0fb64201 8b4dfc 8d540101 8955fc e9???????? 8b4518 }
            // n = 7, score = 100
            //   0355fc               | add                 edx, dword ptr [ebp - 4]
            //   0fb64201             | movzx               eax, byte ptr [edx + 1]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d540101             | lea                 edx, [ecx + eax + 1]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   e9????????           |                     
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]

        $sequence_1 = { c6811c00010000 8b55fc c6824400010000 8b45fc }
            // n = 4, score = 100
            //   c6811c00010000       | mov                 byte ptr [ecx + 0x1001c], 0
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   c6824400010000       | mov                 byte ptr [edx + 0x10044], 0
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_2 = { 888245000100 8b4d08 0fb69145000100 85d2 7409 }
            // n = 5, score = 100
            //   888245000100         | mov                 byte ptr [edx + 0x10045], al
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   0fb69145000100       | movzx               edx, byte ptr [ecx + 0x10045]
            //   85d2                 | test                edx, edx
            //   7409                 | je                  0xb

        $sequence_3 = { 898538ffffff 8b8d38ffffff 51 ff15???????? 898534ffffff 8b55fc }
            // n = 6, score = 100
            //   898538ffffff         | mov                 dword ptr [ebp - 0xc8], eax
            //   8b8d38ffffff         | mov                 ecx, dword ptr [ebp - 0xc8]
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   898534ffffff         | mov                 dword ptr [ebp - 0xcc], eax
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_4 = { 83c408 8b45fc 8be5 5d c20400 ff25???????? ff25???????? }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   ff25????????         |                     
            //   ff25????????         |                     

        $sequence_5 = { 8b4db4 51 0fb655e5 52 0fb645e7 50 0fb64de6 }
            // n = 7, score = 100
            //   8b4db4               | mov                 ecx, dword ptr [ebp - 0x4c]
            //   51                   | push                ecx
            //   0fb655e5             | movzx               edx, byte ptr [ebp - 0x1b]
            //   52                   | push                edx
            //   0fb645e7             | movzx               eax, byte ptr [ebp - 0x19]
            //   50                   | push                eax
            //   0fb64de6             | movzx               ecx, byte ptr [ebp - 0x1a]

        $sequence_6 = { 83c101 894dfc 83bd4cffffff01 7509 c745d001000000 eb07 }
            // n = 6, score = 100
            //   83c101               | add                 ecx, 1
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   83bd4cffffff01       | cmp                 dword ptr [ebp - 0xb4], 1
            //   7509                 | jne                 0xb
            //   c745d001000000       | mov                 dword ptr [ebp - 0x30], 1
            //   eb07                 | jmp                 9

        $sequence_7 = { 8b4dec 894dfc 8b550c 52 8b4dfc e8???????? 8b4dfc }
            // n = 7, score = 100
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   52                   | push                edx
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_8 = { eb07 c745d400000000 8b55fc 52 ff15???????? 6a00 ff15???????? }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   c745d400000000       | mov                 dword ptr [ebp - 0x2c], 0
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_9 = { 7412 8b4d08 51 e8???????? 0fb6d0 85d2 7502 }
            // n = 7, score = 100
            //   7412                 | je                  0x14
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   0fb6d0               | movzx               edx, al
            //   85d2                 | test                edx, edx
            //   7502                 | jne                 4

    condition:
        7 of them and filesize < 100352
}
[TLP:WHITE] win_industroyer2_w0   (20220905 | Industroyer2 malware targeting power grid components.)
// Created by Nozomi Networks Labs

rule win_industroyer2_w0 {
    meta:
        author = "Nozomi Networks Labs"
        name = "Industroyer2"
        description = "Industroyer2 malware targeting power grid components."
        actor = "Sandworm"
        source="https://www.nozominetworks.com/downloads/US/Nozomi-Networks-WP-Industroyer2.pdf"
        hash = "D69665F56DDEF7AD4E71971F06432E59F1510A7194386E5F0E8926AEA7B88E00"

        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer2"
        malpedia_rule_date = "20220905"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220905"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "%02d:%lS" wide ascii
        $s2 = "PService_PPD.exe" wide ascii
        $s3 = "D:\\OIK\\DevCounter" wide ascii
        $s4 = "MSTR ->> SLV" fullword wide ascii
        $s5 = "MSTR <<- SLV" fullword wide ascii
        $s6 = "Current operation : %s"
        $s7 = "Switch value: %s"
        $s8 = "Unknown APDU format !!!"
        $s9 = "Length:%u bytes |"
        $s10 = "Sent=x%X | Received=x%X"
        $s11 = "ASDU:%u | OA:%u | IOA:%u |"
        $s12 = "Cause: %s (x%X) | Telegram type: %s (x%X)"

    condition:
        5 of them
}
Download all Yara Rules