RawDisk
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.(Citation: Novetta Blockbuster Destructive Malware) |
.002 | Disk Wipe: Disk Structure Wipe |
RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0032 | Lazarus Group |
(Citation: Novetta Blockbuster Destructive Malware) (Citation: Novetta Blockbuster) |
(Citation: CISA Iran Albanian Attacks September 2022) (Citation: Microsoft Albanian Government Attacks September 2022) |
References
- Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
- CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
- MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.