Increasing dependence on computers has made them susceptible to cyber-attacks and other nefarious designs. A recent incident in the Middle East took place, where multiple organizations fell victim to targeted and destructive attacks (Depriz Malware attack) that wiped data from computers provides a glaring example of this act.
Depriz Malware Attacks
Most computer related problems come uninvited and cause huge intended damages. This can be minimized or averted if there are appropriate security tools in place. Fortunately, Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams provide round-the-clock protection, detection, and response to these threats.
Microsoft observed the Depriz infection chain is set into motion by an executable file written to a hard disk. It mainly contains the malware components that are encoded as fake bitmap files. These files start to spread across the network of an enterprise, once the executable file is run.
The identity of the following files was revealed as Trojan fake bitmap images when decoded.
- PKCS12 – a destructive disk wiper component
- PKCS7 – a communication module
- X509 – 64-bit variant of the Trojan/implant
Depriz malware then overwrites data in the Windows Registry configuration database, and in system directories, with an image file. It also attempts to disable UAC remote restrictions by setting the LocalAccountTokenFilterPolicy registry key value to “1”.
The outcome of this event – once this is done, the malware connects to the target computer and copies itself as %System%\ntssrvr32.exe or %System%\ntssrvr64.exe before setting either a remote service called “ntssv” or a scheduled task.
Finally, Depriz malware installs the wiper component as %System%\<random name>.exe. It can use other names as well to imitate file names of legitimate system tools. The wiper component features encoded files in its resources as fake bitmap images.
The first encoded resource is a legitimate driver called RawDisk from the Eldos Corporation that allows a user mode component raw disk access. The driver is saved to your computer as %System%\drivers\drdisk.sys and installed by creating a service pointing to it using “sc create” and “sc start”. In addition to this, the malware also attempts to overwrite user data in different folders such as Desktop, downloads, pictures, documents, etc.
Finally, When you attempt to restart the computer after shutting down, it just refuses to load and is unable to find the operating system because the MBR was overwritten. The machine is no longer in a state to boot properly. Fortunately, Windows 10 users are safe since, the OS features a built-in proactive security components, such as Device Guard, that mitigates this threat by restricting execution to trusted applications and kernel drivers.
In addition, Windows Defender detects and remediates all components on endpoints as Trojan:Win32/Depriz.A!dha, Trojan:Win32/Depriz.B!dha, Trojan:Win32/Depriz.C!dha, and Trojan:Win32/Depriz.D!dha.
Even if an attack has occurred, Windows Defender Advanced Threat Protection (ATP) can handle it since it is a post-breach security service designed to protect, detect and respond to such unwanted threats in Windows 10, says Microsoft.
The whole incident regarding Depriz malware attack came into light when computers at unnamed oil companies in Saudi Arabia were rendered unusable after a malware attack. Microsoft dubbed the malware “Depriz” and the attackers “Terbium”, as per the company’s internal practice of naming threat actors after chemical elements.