S1134 DEADWOOD
DEADWOOD is wiper malware written in C++ using Boost libraries. DEADWOOD was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been incorporated into Agrius operations.1
| Item | Value |
|---|---|
| ID | S1134 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 May 2024 |
| Last Modified | 26 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1531 | Account Access Removal | DEADWOOD changes the password for local and domain users via net.exe to a random 32 character string to prevent these accounts from logging on. Additionally, DEADWOOD will terminate the winlogon.exe process to prevent attempts to log on to the infected system.1 |
| enterprise | T1485 | Data Destruction | DEADWOOD overwrites files on victim systems with random data to effectively destroy them.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | DEADWOOD XORs some strings within the binary using the value 0xD5, and deobfuscates these items at runtime.1 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | DEADWOOD deletes files following overwriting them with random data.1 |
| enterprise | T1561.002 | Disk Structure Wipe | DEADWOOD opens and writes zeroes to the first 512 bytes of each drive, deleting the MBR. DEADWOOD then sends the control code IOCTL_DISK_DELETE_DRIVE_LAYOUT to ensure the MBR is removed from the drive.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | DEADWOOD will attempt to masquerade its service execution using benign-looking names such as ScDeviceEnums.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.009 | Embedded Payloads | DEADWOOD contains an embedded, AES-encrypted payload labeled METADATA that provides configuration information for follow-on execution.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | DEADWOOD contains an embedded, AES-encrypted resource named METADATA that contains configuration information for follow-on execution.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | DEADWOOD can be executed as a service using various names, such as ScDeviceEnums.1 |
| enterprise | T1124 | System Time Discovery | DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0064 | APT33 | DEADWOOD was previously linked to APT33 operations in 2019.2 |
| G1030 | Agrius | DEADWOOD has been used by Agrius in wiping operations.1 |