NotPetya

NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][1][2]

ID: S0368
Associated Software: GoldenEye, Petrwrap, Nyetya

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
GoldenEye[1]
Petrwrap[1]
Nyetya[1]

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingNotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.[1][2][3]
EnterpriseT1486Data Encrypted for ImpactNotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.[1][2]
EnterpriseT1210Exploitation of Remote ServicesNotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.[1][2]
EnterpriseT1070Indicator Removal on HostNotPetya uses wevtutil to clear the Windows event logs.[1]
EnterpriseT1036MasqueradingNotPetya drops PsExec with the filename dllhost.dat.[1]
EnterpriseT1085Rundll32NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.[1]
EnterpriseT1053Scheduled TaskNotPetya creates a task to reboot the system one hour after infection.[1]
EnterpriseT1035Service ExecutionNotPetya can use PsExec to help propagate itself across a network.[1][2]
EnterpriseT1195Supply Chain CompromiseNotPetya's initial infection vector for the June 27, 2017 compromise was a backdoor in the Ukrainian tax accounting software M.E.Doc.[1][2][4]
EnterpriseT1078Valid AccountsNotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.[1][2]
EnterpriseT1077Windows Admin SharesNotPetya can use PsExec, which interacts with the ADMIN$ network share to execute commands on remote systems.[1][2][5]
EnterpriseT1047Windows Management InstrumentationNotPetya can use wmic to help propagate itself across a network.[1][2]

References