On February 23, 2022, prior to Russia’s offensive invasion of Ukraine, a new surge of digital threats hit Ukraine just a short period after an avalanche of cyber-attacks involving data-wiping WhisperGate and HermeticWiper malware strains targeted at Ukrainian entities. Microsoft Security Intelligence Center discovered a series of attacks leveraging a novel FoxBlade malware targeting multiple industries, including finance, agriculture, emergency response services, the energy sector, and a wide range of enterprises — aimed to fully destabilize the country’s civilian and IT infrastructure. Cyber efforts were aimed to steal a wide range of sensitive data and government data sets. 

FoxBlade Malware Detection and Mitigation

To detect the suspicious activity associated with the FoxBlade malware, you can download a couple of Sigma rules created by our Threat Bounty developer, Osman Demir. Both rules are available in the SOC Prime’s Detection as Code platform. New and current users can access the detection content by signing up for the platform or using their existing account:

FoxBlade Malware Targeting Ukraine (via process_creation)

This detection has translations for the following SIEM, EDR, and XDR platforms: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, SentinelOne, Microsoft Defender for Endpoint, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix.

New FoxBlade malware used to target Ukraine (via registry_event)

This Sigma-based detection has translations for the following SIEM, EDR, and XDR platforms: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, Microsoft Defender for Endpoint, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, AWS OpenSearch.

Both rules are aligned with the latest MITRE ATT&CK® framework v.10, addressing the Impair Defenses (T1562) and Defense Evasion (TA0005) techniques, including the Disable or Modify Tools (T1562.001) sub-technique.

You can also use free Microsoft software to proactively defend against FoxBlade attacks and minimizing risks in your infrastructure:

• Windows Defender or Microsoft Security Essentials for Windows 7 and Windows Vista
• Microsoft Safety Scanner

Security performers are also recommended to run a full scan to detect the malicious behavioral patterns related to the FoxBlade malware and other hidden threats as well.

SOC Prime users can obtain free access to the entire detection stack for identifying Russia-linked cyber threats. Just sign up or log into your current SOC Prime account, select Quick Hunt, and drill down to search for related threats in your environment:

The full list of threat hunting content for Russian-backed cyber-attacks

FoxBlade Analysis

First details about the FoxBlade trojan attacks were shared by Microsoft’s Threat Intelligence Center (MSTIC) on February 23, 2022. 

A malware dubbed FoxBlade is a lightweight trojan and a data wiper that targeted primarily civilian digital services in Ukraine. Its data destruction algorithm is aimed to steal credentials and personal data. The attackers primarily exploited a known vulnerability in Microsoft SQL Server (CVE-2021-1636) so all the machines with unpatched versions of the latter could be compromised.

Also, according to Microsoft, FoxBlade exposes the victim’s device to DDoS attacks without the owner’s knowledge. While initial access methods were diverse, researchers point out that at least once, the wiper was dropped via Default Domain Policy, which means that it likely had access to the Active Directory server of the infected computer. 

Some further analysis goes as follows:

• The malware uses a Tomcat exploit that executes a PowerShell command.
• The wiper loader is an .exe file signed by a certificate issued to Hermetica Digital Ltd.
• This file contains 32-bit and 64-bit driver files compressed by the Lempel-Ziv algorithm.
• The driver files are then signed by a certificate issued to a legitimate EaseUS Partition Master software. Driver file names are generated using the Process ID of the wiper.
• Lastly, the wiper reboots the victim’s device, damaging the Master Boot Record (MBR) and rendering it inoperable.

Join SOC Prime’s Detection as Code platform to enhance your threat detection capabilities with a power of a global community of cybersecurity experts. You can also enrich the collaborative expertise by contributing to SOC Prime’s crowdsourcing initiative. Write and submit your Sigma rules, get them published to a platform, and receive recurring rewards for your input.