0 %

Industroyer2: Industroyer reloaded | WeLiveSecurity

April 17, 2022

This ICS-capable malware targets a Ukrainian power business

This is an establishing tale and also the blogpost will certainly be upgraded as brand-new info appears.

Exec recap

The blogpost provides the evaluation of a cyberattack versus a Ukrainian power supplier.

Bottom line:

  • ESET scientists teamed up with CERT-UA to assess the strike versus the Ukrainian power business
  • The harmful activities were set up for 2022-04-08 however artefacts recommend that the strike had actually been prepared for at the very least 2 weeks
  • The strike made use of ICS-capable malware and also normal disk wipers for Windows, Linux and also Solaris running systems
  • We analyze with high self-confidence that the assaulters made use of a brand-new variation of the Industroyer malware, which was made use of in 2016 to reduce power in Ukraine
  • We analyze with high self-confidence that the suitable team Sandworm is accountable for this brand-new strike

Industroyer2: Industroyer refilled

ESET scientists reacted to a cyber-incident impacting a power supplier in Ukraine. We functioned carefully with CERT-UA in order to remediate and also shield this essential facilities network.

The cooperation led to the exploration of a brand-new version of Industroyer malware, which we along with CERT-UA called Industroyer2– see CERT-UA magazinehere Industroyer is a well known item of malware that was made use of in 2016 by the Sandworm APT team to reduce power in Ukraine.

In this instance, the Sandworm assaulters made an effort to release the Industroyer2 malware versus high-voltage electric substations in Ukraine.

Along with Industroyer2, Sandworm made use of numerous harmful malware family members consisting of CaddyWiper, ORCSHRED, SOLOSHRED and also AWFULSHRED. We initially uncovered CaddyWiper on 2022-03-14 when it was made use of versus a Ukrainian financial institution– see ourTwitter thread about CaddyWiper A variation of CaddyWiper was made use of once more on 2022-04-08 14:58 versus the Ukrainian power supplier formerly discussed.

At this moment, we do not recognize exactly how assaulters jeopardized the preliminary target neither exactly how they relocated from the IT network to the Industrial Control System (ICS) network. Number 1 reveals an introduction of the various malware made use of in this strike.

Number 1. Introduction of the malware released in the strike

Number 2 sums up the chain of occasions.

  • 2022-02-24: Start of the present Russian intrusion in Ukraine
  • 2022-03-14: Release of CaddyWiper versus a Ukrainian financial institution
  • 2022-04-01: Release of CaddyWiper versus a Ukrainian governmental entity
  • 2022-04-08 14:58 UTC: Release of CaddyWiper on some Windows equipments and also of Linux and also Solaris harmful malware at the power supplier
  • 2022-04-08 15:02:22 UTC: Sandworm driver produces the set up job to release Industroyer2
  • 2022-04-08 16:10 UTC: Scheduled implementation of Industroyer2 to reduce power in an Ukrainian area
  • 2022-04-08 16:20 UTC: Scheduled implementation of CaddyWiper on the exact same device to get rid of Industroyer2 traces

Number 2. Timeline of occasions

In 2017, ESET scientists disclosed that an item of malware that we called Industroyer was in charge of the power blackout that affected Ukraine’s funding Kiev in December 2016.

As outlined in our white paper Win32/Industroyer: A brand-new danger for commercial control systems, it can communicating with commercial control systems commonly discovered in electrical power systems. This consists of IEC-101, IEC-104, IEC 61850 and also OPC DA gadgets.

During that time, we claimed that “it appears extremely not likely any person can create and also evaluate such malware without accessibility to the specific devices made use of in the details, targeted commercial atmosphere”. This was validated in 2020 by the USA federal government when 6 policemans of the Russian Armed Forces Device 74455 of the Key Knowledge Directorate (GRU), were fingered for their function in several cyberattacks consisting of Industroyer and also NotPetya– see the charge on justice.gov and also our historic summary of Sandworm’s procedures.

The lately uncovered malware is a brand-new version of Industroyer, therefore the name Industroyer2.


Industroyer2 was released as a solitary Windows executable called 108_100. exe and also carried out utilizing an arranged job on 2022-04-08 at 16:10:00 UTC. It was put together on 2022-03-23, according to the PE timestamp, recommending that assaulters had actually intended their strike for greater than 2 weeks.

Number 3. Timestamp and also compiler info

Industroyer2 just applies the IEC-104 (also known as IEC 60870-5-104) method to interact with commercial devices. This consists of defense relays, made use of in electric substations. This is a small adjustment from the 2016 Industroyer version that is a fully-modular system with hauls for several ICS procedures.

Industroyer2 shares variety of code resemblances with the haul 104. dll of Industroyer. We analyze with high self-confidence that the brand-new version was developed utilizing the exact same resource code.

Industroyer2 is very configurable. It has a thorough arrangement hardcoded in its body, driving the malware activities. This is various from Industroyer, shops arrangement in a different INI documents. Therefore, assaulters require to recompile Industroyer2 for every brand-new target or atmosphere. Nevertheless, considered that the Industroyer * malware family members has actually just been released two times, with a 5 year void in between each variation, this is most likely not a constraint for Sandworm drivers.

The brand-new arrangement style is kept as a string which is after that provided to the IEC-104 interaction regimen of the malware. Industroyer2 has the ability to interact with several gadgets at the same time. Particularly, the assessed example has 8 various IP addresses of gadgets– see Number 4.

The arrangement has worths that are made use of throughout interaction by means of IEC-104 method, such as ASDU (Application Solution Information Device) address, Info Things Addresses (IOA), timeouts, and so on

Prior to linking to the targeted gadgets, the malware ends a reputable procedure that is made use of in conventional day-to-day procedures. Along with that, it relabels this application by adding.MZ to the filename. It does so in order to protect against automated re-start of this legit procedure.

The evaluation is still recurring in order to establish what are the precise activities considered each gadget. Our team believe that this element has the ability to regulate details ICS systems in order to reduce power.

Industroyer2 can create a log documents or outcome its development to the console home window. Nevertheless, as opposed to purposeful text as in the previous variation, the malware creates numerous mistake codes– see Number 5. Our team believe it is an obfuscation effort by Sandworm programmers to interfere with evaluation.

Number 5. Result generated by Industroyer2 malware (IP addresses edited by ESET)


In sychronisation with the implementation of Industroyer2 in the ICS network, the assaulters released a brand-new variation of the CaddyWiper harmful malware. Our team believe it was meant to decrease the healing procedure and also protect against drivers of the power business from reclaiming control of the ICS gaming consoles. It was likewise released on the device where Industroyer2 was carried out, most likely to cover their tracks.

The initial variation of CaddyWiper was discovered by ESET scientists in Ukraine on 2022-03-14 when it was released in the network of a financial institution. It was released by means of Team Plan Things (GPO), suggesting the assaulters had previous control of the target’s network in advance. The wiper gets rid of customer information and also dividers info from connected drives, making the system unusable and also unrecoverable.

New CaddyWiper filling chain

In the network of the power supplier, assaulters released a brand-new variation of CaddyWiper that utilizes a brand-new loader, called ARGUEPATCH by CERT-UA. ARGUEPATCH is a covered variation of a reputable element of Hex-Rays IDA Pro software, especially the remote IDA debugger web server win32_remote. exe IDA Pro is not meant to be made use of in an ICS atmosphere, as its major objective is for software program reverse-engineering consisting of malware evaluation. We do not recognize why assaulters picked to trojanize this item of software program; it may be a giant in the direction of protectors.

ARGUEPATCH was carried out by an arranged job that was meant to be released as soon as on 2022-04-08 14:58 UTC on one device and also at 16:20 UTC on the device where Industroyer2 was released.

The covered binary tons encrypted shellcode from a documents and also decrypts it with a secret, both are supplied on command line. A single-byte XOR secret is stemmed from the input secret and also made use of to decrypt the shellcode.

The decrypted shellcode is a somewhat customized variation of CaddyWiper. A contrast of their major regimens is supplied in Number 6 and also Number 7. Keep in mind that they do not clean the domain name controller, and also they clean C: Individuals and also disks from D: to [: The cleaning regimen is likewise nearly the same: it loads all documents with 0.

Number 6. Key regimen of the initial example of CaddyWiper.

Number 7. Key regimen of the CaddyWiper example released at the power supplier

Ultimately, CaddyWiper calls DeviceIoControl with IOCTL_DISK_SET_DRIVE_LAYOUT_EX and also a zeroed InputBuffer for all disks from PHYSICALDRIVE9 to PHYSICALDRIVE0. This gets rid of extended information of the drive’s dividers: the Master boot document (MBR) or the GUID Dividing Table (GPT). This provides the device unbootable.

Energetic Directory site list

Together With CaddyWiper, a PowerShell manuscript was discovered both in the power supplier network and also in the financial institution that was jeopardized previously.

This manuscript mentions Team Plans Items (GPO) utilizing the Energetic Directory site Solution User Interface (ADSI). The manuscript, received Number 8, is nearly the same to a fragment supplied in a Medium blogpost

Our team believe that assaulters released CaddyWiper by means of a GPO and also made use of the manuscript to examine the presence of this GPO.

Number 8. PowerShell manuscript to identify GPO (improved)

Linux and also Solaris harmful malware (ORCSHRED, SOLOSHRED, AWFULSHRED)

Extra harmful malware for systems running Linux and also Solaris was likewise discovered on the network of the targeted power business. There are 2 major elements to this strike: a worm and also a wiper. The latter was discovered in 2 versions, one for every of the targeted os. All malware was carried out in Celebration.

The worm

The initial element released by the aggressor was a worm, having its documents called sc.sh This Celebration manuscript begins by including an arranged job (cron task) to release the wiper element at 2:58 pm UTC (thinking the system remains in the neighborhood time area, UTC +3), unless it was released with the “proprietor” debate. This is likely a means to prevent the preliminary system made use of to release the worm auto-destructing.

Number 9. Establishing the cron task to release the wiper at 5:58 pm. The appropriate wiper is chosen depending upon the mounted os.

The manuscript after that repeats over the networks obtainable by the system by considering the outcome of ip course or ifconfig -a It constantly presumes a course C network (/ 24) is obtainable for every IP address it gathers. It will certainly attempt to link to all hosts in those networks utilizing SSH to TCP port 22, 2468, 24687 and also 522. Once it locates an obtainable SSH web server, it attempts qualifications from a checklist supplied with the destructive manuscript. Our team believe the aggressor had qualifications before the strike to make it possible for the spread of the wiper.

If the system is not currently jeopardized, malware is duplicated to the brand-new target, and also the worm is released. The worm is not released with the proprietor debate, so the wiper is set up to go for 2:58 pm UTC and also ruin all information. If those systems were readied to the neighborhood time area, the devastation has to’ve begun at the exact same time as the system jeopardized with CaddyWiper.

The Linux wiper

The Linux version of the wiper is gently obfuscated: variables and also feature names have actually been changed with useless 8-letter words. The majority of actual worths were likewise changed with variables at the start of the documents.

Number 10. Other than from the obfuscated manuscript (whitespace enhanced).

Number 11. Deobfuscation of the above acquired by relabeling features and also variables and also utilizing literals

Inevitably, the Linux wiper damages the entire material of the disks connected to the system by utilizing shred if readily available or just dd (with if=/ dev/random) or else. If several disks are connected, information elimination is performed in alongside accelerate the procedure.

Relying on the dimension, it might take hrs for the complete disk to be entirely gotten rid of. To provide the system unusable much faster, it initially attempts to quit and also disable HTTP and also SSH solutions. Both solutions are disabled by utilizing systemctl disable To make sure solution isn’t reenabled, the systemd system documents in charge of filling the solution is removed from the disk.

Data from / boot, / residence and also / var/log are likewise eliminated prior to ruining the complete drives. This makes the system unusable much faster, removes customer information and also maybe gets rid of incriminating logs.

The destructive manuscript’s last activity is to by force start a reboot utilizingSysRq Considering that all drives are full of arbitrary, no os will certainly boot.

The Solaris wiper

Unlike the Linux wiper, the Solaris version is not obfuscated.

Like the Linux version, the destructive manuscript repeats over all solutions to quit and also disable them if they include the search phrase ssh, http, apache and also furthermore ora _ or oracle Those solutions are highly likely made use of by applications made use of to regulate ICS systems. Cleaning them would certainly protect against the power business’s drivers from taking back control of the substations and also curtail Industroyer2 activities.

It utilizes either systemctl or svcadm depending upon what’s readily available. The last is more than likely considering that Solaris is not running systemd

Submit devastation starts by removing data sources. It gets rid of, utilizing shred after that rm, all documents and also directory sites consisted of in atmosphere variables beginning with ORA Keep in mind that shred sees to it information healing (without a back-up) isn’t feasible.

Like the Linux version, documents in / boot, / residence and also / var/log are removed with concern.

After that the manuscript repeats over disks attached to the system, discovered in / dev/dsk/ It overlooks pieces (dividers) and also job just on complete disks. For each and every of them, the destructive manuscript overwrites the complete material utilizing shred To reduce the moment called for to do the clean, all disks are gotten rid of in parallel.

Last but not least, the manuscript self-destructs.

Final Thought

Ukraine is once more at the facility of cyberattacks targeting their essential facilities. This brand-new Industroyer project adheres to several waves of wipers that have actually been targeting numerous markets in Ukraine. ESET scientists will certainly remain to keep track of the danger landscape in order to much better shield companies from these kinds of harmful strikes.

And also a huge many thanks to @_CERT_UA that collaborated with us on this instance and also supplied examples. You can review their consultatory on this project here.

For any kind of questions concerning our research study released on WeLiveSecurity, please call us at [email protected]

ESET Research study currently likewise uses exclusive suitable knowledge records and also information feeds. For any kind of questions concerning this solution, check out the ESET Threat Intelligence web page.

Indicators of Concession

SHA-1 Filename ESET discovery name Summary
FD9C17C35A68FC505235E20C6E50C622AED8DEA0 108_100. exe Win32/Industroyer. B Industroyer2
6FA04992C0624C7AA3CA80DA6A30E6DE91226A16 zrada.exe Win32/Agent. AECG ArguePatch
9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7 pa.pay N/A TailJump
( Encrypted CaddyWiper)
0090CB4DE31D2D3BCA55FD4A36859921B5FC5DAE link.ps1 PowerShell/HackTool. Agent.AH Manuscript which mentions GPO
D27D0B9BB57B2BAB881E0EFB97C740B7E81405DF sc.sh Linux/Agent. Computer trojan OrcShred (Linux worm)
3CDBC19BC4F12D8D00B81380F7A2504D08074C15 wobf.sh Linux/KillFiles. C trojan AwfulShred (Linux wiper)
8FC7646FA14667D07E3110FE754F61A78CFDE6BC wsol.sh Linux/KillFiles. B trojan SoloShred
( Solaris wiper)

Posted in SecurityTags:
Write a comment