INDUSTROYER.V2: Old Malware Learns New Tricks | Mandiant
Tags
country: Ukraine
attack-pattern: Data Direct Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Tool - T1588.002
Show in Graph
Common Information
Type Value
UUID c8bde87b-12a0-46a5-b1e8-a7e1af985f8b
Fingerprint a4145e110cbb8a81
Analysis status DONE
Considered CTI value 2
Text language
Published April 25, 2022, midnight
Added to db Nov. 9, 2023, 12:21 a.m.
Last updated Oct. 21, 2024, 1:12 p.m.
Headline INDUSTROYER.V2: Old Malware Learns New Tricks
Title INDUSTROYER.V2: Old Malware Learns New Tricks | Mandiant
Detected Hints/Tags/Attributes 55/2/5
Source URLs
Redirection Url
Details Source https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks
URL Provider
Details Provider Source level domain
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 9 
192.168.xxx.xxx
Details File 1 
stoppedprocess.exe
Details md5 2 
7c05da2e4612fca213430b6c93e76b06
Details Yara rule 1 
rule MTI_Hunting_INDUSTROYERv2_Bytes {
	meta:
		author = "Mandiant"
		date = "04-09-2022"
		description = "Searching for executables containing bytecode associated with the INDUSTROYER.V2 malware family."
	strings:
		$bytes = { 8B [2] 89 [2] 8B 0D [4] 89 [2] 8B 15 [4] 89 [2] A1 [4] 89 [2] 8B 0D [4] 89 [2] 8A 15 [4] 88 [2] 8D [2] 5? 8B [2] E8 }
	condition:
		filesize < 3MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $bytes
}
Details Yara rule 1 
rule MTI_Hunting_INDUSTROYERv2_Strings {
	meta:
		author = "Mandiant"
		date = "04-09-2022"
		description = "Searching for executables containing strings associated with the INDUSTROYER.V2 malware family."
	strings:
		$a1 = "M%X - d:d:d" ascii wide nocase
		$a2 = "hu:hu:hu:hu" ascii wide nocase
		$a3 = "%s M%X " ascii wide nocase
		$a4 = "%s: %d: %d" ascii wide nocase
		$a5 = "%s M%X %d (%s)" ascii wide nocase
		$a6 = "%s M%X SGCNT %d" ascii wide nocase
		$a7 = "%s ST%X %d" ascii wide nocase
		$a8 = "Current operation : %s" ascii wide nocase
		$a9 = "Sent=x%X | Received=x%X" ascii wide nocase
		$a10 = "ASDU:%u | OA:%u | IOA:%u | " ascii wide nocase
		$a11 = "Cause: %s (x%X) | Telegram type: %s (x%X" ascii wide nocase
		$b1 = "Length:%u bytes | " ascii wide nocase
		$b2 = "Unknown APDU format !!!" ascii wide nocase
		$b3 = "MSTR ->> SLV" ascii wide nocase
		$b4 = "MSTR <<- SLV" ascii wide nocase
	condition:
		filesize < 3MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (1 of ($a*) and 1 of ($b*))
}