Russian Wipers Dropper (educational-purposes )
Wolfpack
in WW2 ,The idea is to attack the target on convoys , the malware contain some shellcodes that created by pro-russian threat actors
- after running this malware the recovery will be impossible
UKR
if the comparation evaluate to TRUE then it will Set the process as critical using undocumented API RtlSetProcessIsCritical and jump to stage 2RtlSetProcessIsCritical makes the process critical, any attempt to terminate it will BSOD the system (Blue Screen of Death) , although it can be bypassed easily using NtSetInformationProcess by injecting a DLL into it , i made PoC of it check it out from here BypassRtlSetProcessIsCritical
before doing any malicious activity ive used a technique to hide control flow using Exception Handlers , We register an exception handler (structured or vectored) which raises another exception which is passed to the next handler which raises the next exception, and so on. Finally, the sequence of handlers should lead to the procedure that we wanted to hide.
graph TD;
L1-->L2;
L2-->L3;
L3-->ENTRY;
C/C++ Code
void LABEL1()
{
__try
{
__asm int 3;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
LABEL2();
}
}
void LABEL3()
{
__try
{
__asm int 3;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
MaliciousEntry();
}
}
void LABEL2()
{
__try
{
__asm int 3;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
LABEL3();
}
}
OpenProcess API
Opens an existing local process object and return an open handle to the specified process.****
Parameters
[in] dwDesiredAccess
The access to the process object. This access right is checked against the security descriptor for the process. This parameter can be one or more of the process access rights.
If the caller has enabled the SeDebugPrivilege privilege, the requested access is granted regardless of the contents of the security descriptor.
[in] bInheritHandle
If this value is TRUE, processes created by this process will inherit the handle. Otherwise, the processes do not inherit this handle.
[in] dwProcessId
The identifier of the local process to be opened.
If the specified process is the System Idle Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER
. If the specified process is the System process or one of the Client Server Run-Time Subsystem (CSRSS) processes, this function fails and the last error code is ERROR_ACCESS_DENIED
because their access restrictions prevent user-level code from opening them.
If you are using GetCurrentProcessId as an argument to this function, consider using GetCurrentProcess instead of OpenProcess, for improved performance.
VirtualAllocEx API
Reserves a region of memory within the virtual address space of a specified process, The function initializes the memory it allocates to zero and return the base address of the allocated memory .
WriteProcessMemory API
Writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.****
CreateRemoteThread API
Creates a thread that runs in the virtual address space of another process and return a handle to the new thread.
CRITICAL_PROCESS_DIED
cause the process already set to critical .the combination of fragmentation and wiping and encrypting of required structures and files
would be enough to make recovery almost impossible
.
Message shown after rebooting the system