Pinky | |
Type of Malware | Partition Wiper |
Date of initial activity | 2023 |
Country of Origin | Iran |
Targeted Countries | Albania |
Motivation | To cause significant disruption and destruction to targeted systems by obliterating the partition table |
Attack Vectors | Partition wipers can spread through various vectors, including phishing emails, malicious downloads, or exploiting vulnerabilities in software and network protocols |
Targeted System | Likely targets Windows systems, but could potentially affect other operating systems if designed accordingly. |
Associated Groups | Void Manticore |
Overview
Pinky malware, utilized by the Void Manticore threat actor, is a sophisticated piece of malicious software designed to inflict substantial damage on targeted systems. Unlike traditional ransomware, which encrypts files and demands a ransom, Pinky malware focuses on other destructive actions, including data corruption and system disruption.
Upon infection, Pinky malware executes a series of malicious operations aimed at compromising and disrupting the targeted system. It often employs techniques such as code obfuscation and anti-analysis measures to evade detection by security software and forensic tools. The malware’s primary objective is to corrupt data, making it unreadable or inaccessible. This can involve overwriting critical files, altering system configurations, or tampering with essential data structures.
One of Pinky’s notable characteristics is its ability to perform widespread damage within a network. It can propagate across connected systems, amplifying the impact of its attack. This lateral movement allows the malware to compromise multiple machines and spread its destructive payload, creating a more extensive disruption for the victim.
Targets
Albanian critical infrastructure, government entities, and large corporations
How they operate
The infection process begins with Pinky malware gaining access to the target system through various vectors, such as phishing emails, malicious attachments, or exploiting software vulnerabilities. Once inside, Pinky deploys its payload, which may include a variety of destructive functions. One of its key tactics is to corrupt critical files and data structures, making the information inaccessible or irretrievable. This can involve overwriting important files, altering system configurations, or tampering with data integrity. The malware’s ability to disrupt essential data makes it highly effective at crippling an organization’s operations.
Pinky malware is also notable for its capacity to propagate across networks. After initial infection, it can spread to other connected systems, amplifying the scale of the attack. This lateral movement allows Pinky to compromise multiple machines within the same network, thereby extending its impact and increasing the difficulty of containment and remediation. The widespread nature of the attack ensures that the damage is not confined to a single machine but affects the broader network environment.
Another significant feature of Pinky malware is its capability to disable or interfere with security mechanisms. It may target and disable antivirus software, delete system logs, or alter registry settings to evade detection and hinder recovery efforts. By undermining the system’s defenses, Pinky enhances its effectiveness and complicates the incident response process. The malware’s stealthy operation and its ability to neutralize security measures make it a formidable threat.
MITRE tactics and techniques
Initial Access (TA0001):
Phishing (T1566): Attackers use phishing emails with malicious attachments or links to deliver the ransomware payload.
Drive-by Compromise (T1189): Victims unknowingly visit compromised websites that automatically download ransomware.
Execution (TA0002):
Malicious File Execution (T1204): The ransomware executes upon opening a malicious file or attachment.
User Execution (T1204.002): Execution of malware by tricking the user into running the malicious file.
Persistence (TA0003):
Boot or Logon Autostart Execution (T1547): The ransomware ensures persistence by modifying the MBR, which is executed during the boot process.
Privilege Escalation (TA0004):
Exploitation for Privilege Escalation (T1068): The ransomware may exploit vulnerabilities to gain higher privileges.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): Using crypters and packers to evade detection by security software.
Modify Registry (T1112): Changing registry entries to disable security tools or alter system behavior.
Indicator Removal on Host (T1070): Deleting logs and other artifacts to remove traces of the attack.
Credential Access (TA0006):
Credential Dumping (T1003): Accessing stored credentials to further the attack.
Discovery (TA0007):
System Information Discovery (T1082): Gathering information about the system to tailor the attack.
File and Directory Discovery (T1083): Identifying important files and directories to target.
Lateral Movement (TA0008):
Remote File Copy (T1105): Copying malicious files to other systems on the network.
Collection (TA0009):
Data from Local System (T1005): Collecting files and data from the compromised system.
Exfiltration (TA0010):
Exfiltration Over C2 Channel (T1041): Sending collected data to Command and Control servers.
Impact (TA0040):
Data Encrypted for Impact (T1486): Encrypting files and the MBR to render the system unusable until a ransom is paid.
Inhibit System Recovery (T1490): Disabling or deleting system recovery features to prevent the victim from easily restoring the system.
Significant Malware Campaigns
- At least 40 computers have been infected with the virus targeting the data deletion of the Institute of Statistics (INSTAT), and the goal has been achieved in at least six of them. (February 2024)
