1. Home
  2. Software
  3. RawDisk

RawDisk

RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[1][2]

ID: S0364
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 25 March 2019
Last Modified: 14 August 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1485 Data Destruction

RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data.[3][4]
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.[2]
.002 Disk Wipe: Disk Structure Wipe

RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.[3][4]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[5][2]
G1001 HEXANE

HEXANE probed victim infrastructure in support of HomeLand Justice.[6]

Campaigns

ID Name Description
C0038 HomeLand Justice

[7][6]

References

  1. Edwards, M. (2007, March 14). EldoS Provides Raw Disk Access for Vista and XP. Retrieved March 26, 2019.
  2. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  3. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  4. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  2. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  3. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.