CL (Wiper) – Malware

Overview

The CL wiper is a destructive malware tool used by the Void Manticore threat actor, known for its capability to irreversibly erase data on infected systems. This wiper specifically targets the Master Boot Record (MBR) and other critical system components, rendering the affected machines completely inoperable. By overwriting crucial boot data and system files, the CL wiper ensures that the operating system cannot be loaded, effectively causing a denial of service. The use of such a tool by Void Manticore highlights their intent to not only disrupt operations but also to inflict maximum damage on targeted organizations, making data recovery extremely difficult and costly.

Targets

Albanian critical infrastructure, government entities, and large corporations

How they operate

The CL ransomware, employed by the Void Manticore threat actor, represents a sophisticated and destructive form of cyber extortion. This ransomware operates by first gaining access to the targeted system through various initial access methods such as phishing emails, malicious attachments, or exploiting vulnerabilities in software or operating systems. Once inside the system, the ransomware executes its payload, typically using obfuscation techniques to evade detection by security software. The malicious code then begins its primary task: encrypting the Master Boot Record (MBR) and other crucial system files to prevent the system from booting properly.

Once the ransomware has successfully encrypted the MBR, it effectively hijacks the boot process. When the infected computer is restarted, the ransomware’s code intercepts the normal boot procedure, replacing it with its malicious payload. Instead of loading the operating system, the system displays a ransom note created by the ransomware, demanding payment from the victim in exchange for a decryption key. This ransom note often includes specific instructions on how to pay the ransom, usually in cryptocurrency, to maintain the attackers’ anonymity. The note may also contain threats, warning that failure to pay will result in the permanent loss of data.

In addition to encrypting the MBR, CL ransomware may also target other critical files and directories, further crippling the victim’s system. The ransomware typically employs strong encryption algorithms, making it virtually impossible to decrypt the files without the unique key held by the attackers. This multi-layered attack strategy not only disrupts the victim’s ability to access their system but also increases the pressure to pay the ransom, as restoring the system without the decryption key becomes a formidable challenge.

Preventing and mitigating the impact of CL ransomware requires a comprehensive cybersecurity strategy. Organizations must implement robust email filtering and web security solutions to block phishing attempts and malicious downloads. Keeping software and operating systems up to date with the latest security patches is essential to close vulnerabilities that ransomware can exploit. Additionally, regular backups of critical data are crucial; these backups should be stored offline or in a secure, isolated environment to prevent them from being encrypted by the ransomware.

In the event of a CL ransomware infection, it is generally advised not to pay the ransom, as this does not guarantee data recovery and further encourages the cybercriminals. Instead, affected organizations should seek the assistance of cybersecurity specialists. These experts can help identify the specific ransomware variant, remove the malicious code, recover the MBR, and restore system functionality where possible. They can also perform a forensic analysis to determine how the ransomware infiltrated the system and provide recommendations to prevent future attacks.

MITRE tactics and techniques

Initial Access (TA0001):

Phishing (T1566): Attackers use phishing emails with malicious attachments or links to deliver the ransomware payload.

Drive-by Compromise (T1189): Victims unknowingly visit compromised websites that automatically download ransomware.

Execution (TA0002):

Malicious File Execution (T1204): The ransomware executes upon opening a malicious file or attachment.

User Execution (T1204.002): Execution of malware by tricking the user into running the malicious file.

Persistence (TA0003):

Boot or Logon Autostart Execution (T1547): The ransomware ensures persistence by modifying the MBR, which is executed during the boot process.

Privilege Escalation (TA0004):

Exploitation for Privilege Escalation (T1068): The ransomware may exploit vulnerabilities to gain higher privileges.

Defense Evasion (TA0005):

Obfuscated Files or Information (T1027): Using crypters and packers to evade detection by security software.

Modify Registry (T1112): Changing registry entries to disable security tools or alter system behavior.

Indicator Removal on Host (T1070): Deleting logs and other artifacts to remove traces of the attack.

Credential Access (TA0006):

Credential Dumping (T1003): Accessing stored credentials to further the attack.

Discovery (TA0007):

System Information Discovery (T1082): Gathering information about the system to tailor the attack.

File and Directory Discovery (T1083): Identifying important files and directories to target.

Lateral Movement (TA0008):

Remote File Copy (T1105): Copying malicious files to other systems on the network.

Collection (TA0009):

Data from Local System (T1005): Collecting files and data from the compromised system.

Exfiltration (TA0010):

Exfiltration Over C2 Channel (T1041): Sending collected data to Command and Control servers.

Impact (TA0040):

Data Encrypted for Impact (T1486): Encrypting files and the MBR to render the system unusable until a ransom is paid.

Inhibit System Recovery (T1490): Disabling or deleting system recovery features to prevent the victim from easily restoring the system.

References:

• Bad Karma, No Justice: Void Manticore Destructive Activities in Israel
• Iranian State Actors Conduct Cyber Operations Against the Government of Albania
• Microsoft investigates Iranian attacks against the Albanian government