KillDisk

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

"Distributed through phishing campaigns targeting both Windows and Linux"; "The malware is contained in phishing emails which appear to be from job applicants"

Astaroth uses the LoadLibraryExW() function to load additional modules. Attor's dispatcher can execute additional plugins by loading the respective DLLs. ... LightSpy's main executable and module .dylib binaries are loaded using ... dlopen() ... dlsym() ... RotaJakiro uses ... .so files ... using dlopen() and dlsym().

...uses the LoadLibraryExW() function to load additional modules... execute additional plugins by loading the respective DLLs... loaded and executed DLLs in memory during runtime... loads a dynamic library (.dylib file) using dlopen() and obtains a function pointer... using dlopen() and dlsym()... calls LoadLibrary then executes exports from a DLL.

The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen... monitoring changes to registry paths associated with shutdown policies.

the defendants and their co-conspirators deployed destructive malware and took other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victim computers (hacking).

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

APT41 used VMProtected binaries in multiple intrusions. BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect. KillDisk uses VMProtect to make reverse engineering the malware more difficult. Turian can use VMProtect for obfuscation.

"created using Nullsoft Scriptable Install System (NSIS)... purposely named it 'MBR Killer.'"

“APT28 has cleared event logs, including by using the commands wevtutil cl System and wevtutil cl Security …” / “APT38 clears Window Event logs and Sysmon logs …” / “BlackCat can clear Windows event logs using wevtutil.exe …” / “NotPetya uses wevtutil to clear the Windows event logs …”

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

...uses the LoadLibraryExW() function to load additional modules... execute additional plugins by loading the respective DLLs... loaded and executed DLLs in memory during runtime... loads a dynamic library (.dylib file) using dlopen() and obtains a function pointer... using dlopen() and dlsym()... calls LoadLibrary then executes exports from a DLL.

The following analytic detects suspicious registry modifications that disable the shutdown button on a user's logon screen... monitoring changes to registry paths associated with shutdown policies.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

"admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download"; "ADVSTORESHELL can run Systeminfo to gather information about the victim."; "Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the 'systeminfo' command."

"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."

BlackEnergy is a modular backdoor that can be used for several purposes, like espionage and downloading of destructive components... BlackEnergy used its modular architecture that supports several plugins to download and keep running both a variant of Dropbear SSH backdoor and a new destructive plugin called KillDisk.

Overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files in this sample

Ukrainian Government & Critical Infrastructure: December 2015 through December 2016 destructive malware attacks against Ukraine’s electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk

The attackers didn’t just open breakers. They deployed KillDisk malware to prevent system restoration.

"AcidPour includes functionality to reboot the victim system following wiping actions..."; "AcidRain reboots the target system once the various wiping processes are complete"; "Apostle reboots the victim machine following wiping"; "APT37 ... issue the command shutdown /r /t 1 to reboot a system after wiping its MBR"; "APT38 ... BOOTWRECK ... initiate a system reboot after wiping the victim's MBR"; "Black Basta ... used ShellExecuteA to shut down and restart"; "DarkGate ... used the shutdown command"; "HermeticWiper can initiate a system shutdown"; "NotPetya will reboot the system one hour after infection"; "Shamoon will reboot the infected system once the wiping functionality has been completed"; "WhisperGate can shutdown ... through ... ExitWindowsEx"

The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable.

using malware that altered industrial equipment (BlackEnergy in 2015 and Industroyer in 2016) or wiped hard drives (KillDisk).