1. Home
  2. Software
  3. DEADWOOD

DEADWOOD

DEADWOOD is wiper malware written in C++ using Boost libraries. DEADWOOD was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been incorporated into Agrius operations.[1]

ID: S1134
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 May 2024
Last Modified: 26 August 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1531 Account Access Removal

DEADWOOD changes the password for local and domain users via net.exe to a random 32 character string to prevent these accounts from logging on. Additionally, DEADWOOD will terminate the winlogon.exe process to prevent attempts to log on to the infected system.[1]
Enterprise T1485 Data Destruction

DEADWOOD overwrites files on victim systems with random data to effectively destroy them.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

DEADWOOD XORs some strings within the binary using the value 0xD5, and deobfuscates these items at runtime.[1]
Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

DEADWOOD deletes files following overwriting them with random data.[1]
.002 Disk Wipe: Disk Structure Wipe

DEADWOOD opens and writes zeroes to the first 512 bytes of each drive, deleting the MBR. DEADWOOD then sends the control code IOCTL_DISK_DELETE_DRIVE_LAYOUT to ensure the MBR is removed from the drive.[1]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

DEADWOOD will attempt to masquerade its service execution using benign-looking names such as ScDeviceEnums.[1]
Enterprise T1027 .009 Obfuscated Files or Information: Embedded Payloads

DEADWOOD contains an embedded, AES-encrypted payload labeled METADATA that provides configuration information for follow-on execution.[1]
.013 Obfuscated Files or Information: Encrypted/Encoded File

DEADWOOD contains an embedded, AES-encrypted resource named METADATA that contains configuration information for follow-on execution.[1]
Enterprise T1569 .002 System Services: Service Execution

DEADWOOD can be executed as a service using various names, such as ScDeviceEnums.[1]
Enterprise T1124 System Time Discovery

DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.[1]

Groups That Use This Software

ID Name References
G0064 APT33

DEADWOOD was previously linked to APT33 operations in 2019.[2]
G1030 Agrius

DEADWOOD has been used by Agrius in wiping operations.[1]

References

  1. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  1. INSIKT GROUP. (2020, January 7). Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access. Retrieved May 22, 2024.