S1135 MultiLayer Wiper
MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.1
| Item | Value |
|---|---|
| ID | S1135 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 May 2024 |
| Last Modified | 29 August 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs.1 |
| enterprise | T1485 | Data Destruction | MultiLayer Wiper deletes files on network drives, but corrupts and overwrites with random data files stored locally.1 |
| enterprise | T1565 | Data Manipulation | - |
| enterprise | T1565.001 | Stored Data Manipulation | MultiLayer Wiper changes the original path information of deleted files to make recovery efforts more difficult.1 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.002 | Disk Structure Wipe | MultiLayer Wiper opens a handle to \\\\.\\PhysicalDrive0 and wipes the first 512 bytes of data from this location, removing the boot sector.1 |
| enterprise | T1083 | File and Directory Discovery | MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | MultiLayer Wiper removes the Volume Shadow Copy (VSS) service from infected devices along with all present shadow copies.1 |
| enterprise | T1070 | Indicator Removal | MultiLayer Wiper uses a batch script to clear file system cache memory via the ProcessIdleTasks export in advapi32.dll as an anti-analysis and anti-forensics technique.1 |
| enterprise | T1070.001 | Clear Windows Event Logs | MultiLayer Wiper removes Windows event logs during execution.1 |
| enterprise | T1070.004 | File Deletion | MultiLayer Wiper uses a batch file, remover.bat to delete malware artifacts and the batch file itself during execution.1 |
| enterprise | T1070.006 | Timestomp | MultiLayer Wiper changes timestamps of overwritten files to either 1601.1.1 for NTFS filesystems, or 1980.1.1 for all other filesystems.1 |
| enterprise | T1490 | Inhibit System Recovery | MultiLayer Wiper wipes the boot sector of infected systems to inhibit system recovery.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.009 | Embedded Payloads | MultiLayer Wiper contains two binaries in its resources section, MultiList and MultiWip. MultiLayer Wiper drops and executes each of these items when run, then deletes them after execution.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | MultiLayer Wiper creates a malicious scheduled task that launches a batch file to remove Windows Event Logs.1 |
| enterprise | T1529 | System Shutdown/Reboot | MultiLayer Wiper reboots the infected system following wiping and related tasks to prevent system recovery.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1030 | Agrius | MultiLayer Wiper is associated with wiping operations linked to Agrius.1 |