NotPetya
Associated Software Descriptions |
|
Name | Description |
---|---|
ExPetr | (Citation: ESET Telebots June 2017) |
Diskcoder.C | (Citation: ESET Telebots June 2017) |
GoldenEye | (Citation: Talos Nyetya June 2017) |
Nyetya | (Citation: Talos Nyetya June 2017) |
Petrwrap | (Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
NotPetya uses |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: NCSC Joint Report Public Tools) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
NotPetya can use PsExec, which interacts with the |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
NotPetya creates a task to reboot the system one hour after infection.(Citation: Talos Nyetya June 2017) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
NotPetya determines if specific antivirus programs are running on an infected host machine.(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
NotPetya uses |
Enterprise | T1569 | .002 | System Services: Service Execution |
NotPetya can use PsExec to help propagate itself across a network.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017) |
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
NotPetya can use valid credentials with PsExec or |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0034 | Sandworm Team |
(Citation: Trend Micro Cyclops Blink March 2022) (Citation: NCSC Sandworm Feb 2020) (Citation: mandiant_apt44_unearthing_sandworm) (Citation: US District Court Indictment GRU Unit 74455 October 2020) (Citation: Secureworks IRON VIKING ) (Citation: UK NCSC Olympic Attacks October 2020) |
References
- Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
- Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
- Russinovich, M. (2004, June 28). PsExec. Retrieved December 17, 2015.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
- NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.
- Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.
- Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.
- UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.