It's now well understood that NotPetya was designed to wreck havoc upon Ukrainian networks. It's an attack that Cylance customers have been protected from since 2015, but June's NotPetya outbreak spread outside of Ukraine to do damage in the hundreds of millions to billions of dollars to international companies. It was reported recently that international shipping giant Maersk alone took a huge financial hit.
"In the last week of the quarter we were hit by a cyber attack, which mainly impacted Maersk Line, APM Terminals and Damco. Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber attack will impact results negatively by USD 200-300 million,” said Maersk CEO Soren Skou.
Cybersecurity experts suspect that the Russian military is using Ukraine as a testing ground for international cyber attacks. So when Ukrainian cybersecurity firms and institutions warn of impending cyber threats, the world should be listening.
The National Bank of Ukraine recently spotted signs of a looming malware threat with vague details in a letter sent to Reuters.
“The nature of this malicious code, its mass distribution, and the fact that at the time of its distribution it was not detected by any antivirus software, suggest that this attack is preparation for a mass cyber attack on the corporate networks of Ukrainian businesses,” the letter said.
The Bank isn't taking Russian cyber threats lying down. They're busy beefing up their cyber defenses.
“The NBU (National Bank of Ukraine) is involved in efforts to establish the NBU Computer Security Incident Response Team (CSIRT-NBU) to respond promptly to cyber incidents and share information in real time with all the banking sector participants and law enforcement agencies,” they said to Bank Info Security.
This attack features a striking similarity to NotPetya. NotPetya transmission originated with financial software developer MeDoc. They operate in the same industry and country as Crystal Finance Millennium. Plus the malware recently discovered by Information Systems Security Partners targets Windows, just as NotPetya did.
Information Systems Security Partners (ISSP) shared no information about how ‘док.zip’ is distributed. One possible method of distribution is email attachments. It's incredibly important to train your employees to avoid opening email attachments from new email addresses, I cannot stress that enough. ISSP does believe that Crystal Finance Millennium is an innocent victim; the attacker must have exploited vulnerabilities on their website to upload the ‘load.exe’ malware to their web server.
ISSP's sample analysis explains how ‘load.exe’ behaves:
Upon execution, ‘load.exe’ migrates to ‘explorer.exe’ as a process in suspended mode. The new process copies the file at ‘C:\Users\%user name%\AppData\Roaming\Microsoft\fbufwrbe\siaeesws.exe.’ Then an autorun file is created which exists at this registry location: ‘HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jack1024.’
That autorun file writes a path to a newly created file at this location: ‘C:\Users\%user_name%\AppData\Roaming\Microsoft\fbufwrbe\siaeesws.exe.’ Eventually, a configuration block is found in the ‘load.exe’ tampered ‘explorer.exe files’ memory stack, which contains a link to a dangerous command and control (C&C) server online.
Figures 1 and 2 below detail their findings:
As these new malware attacks which target Ukraine inevitably spread worldwide, the international cybersecurity community should be grateful for the hard work of Ukrainian cybersecurity professionals at firms like ISSP and the NBU.