Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

Handala’s Wiper Targets Israel

CrowdStrike’s Falcon agent caused downtime for millions of computers across the globe beginning July 19. This event caused panic and chaos, which threat actors quickly latch on to gain an edge over defenders. One such actor is the self proclaimed Handala Hacking Team, which has sent lure emails which contained malware to Israeli targets. The malware is a wiper which has a single purpose: to destroy files on the machine its runs on. This blog will focus on the threat actor’s background and previous actions, the attack chain, and the wiper’s internals and reused code.

Handala Hacking Team

This threat actor emerged in December 2023, with their first post on X on the 18th of said month. Their focus is on Israeli entities and entities interacting with Israeli entities. From the get-go, the threat actor tagged Israel’s National Cyber Directorate (INCD) to both get attention and to taunt. Per Israel’s official website, an undisclosed commercial company attributed the group to Iran.

Israeli-based Cyberint has a blog with more details on the actor’s origin and actions. Cyberint does not attribute the malware to a specific nation state aligned state, much like the Israeli-based Intezer, which attributes the group as a “pro-Palestinian activist group” and further states “we can’t make attribution since there is insufficient evidence”.

Based on the available evidence, per our attribution, it is a group which at least pretends to act based on pro-Palestinian motives. Whether or not it is just a façade for an ulterior motive remains to be seen.

Trellix’ telemetry confirms the reported activity of Handala, as hundreds of emails to Israeli customers have been observed in the past week. These messages never made it to the mailboxes of the intended recipients, as Trellix blocked the emails.

Modus operandi

Given the recent focus on CrowdStrike themed malware, this attack caught the eye of other researchers as well, as documented by Mohamed Talaat, BleepingComputer, and CyberScoop, as well as many others.

The attack-chain starts with a CrowdStrike themed email to a victim, in which the outage is addressed and a “fix” is allegedly provided. The lure can be seen in the image below.

Figure 1 - The CrowdStrike themed lure
Figure 1 - The CrowdStrike themed lure

The attached PDF file, seen in the image below, contains a link to download the “outage fix”. The theme of the lure email and PDF are to hope a hastened target will simply download and execute the malware, thereby infecting the system.

Figure 2 - The PDF lure with a link to the malware
Figure 2 - The PDF lure with a link to the malware

The linked archive, named “update.zip”, contains a Nullsoft Scriptable Install System (NSIS) installer named “CrowdStrike.exe”. NSIS is a benign installer, which can be abused to perform malicious activity, as is the case here. The installer unpacks and subsequently executes files which perform anti-anti-malware checks, after which it unpacks and executes an AutoIT script to launch the wiper.

After wiping the system, the wiper will collect system information and exfiltrate it via Telegram’s API. This provides insight into the usage of the wiper to the actor. The flowchart below shows the complete modus operandi.

Figure 3 - The modus operandi of the attack
Figure 3 - The modus operandi of the attack


Loading stages

The NSIS installer extracts files to the temporary folder, where a batch script named “Carrol” is also placed and subsequently executed without a visible window, as can be seen in the screenshot below.

Figure 4 - The command to copy and execute “Carrol”
Figure 4 - The command to copy and execute “Carrol”

At first, the script, shown in the image below, checks if “wrsa.exe” (Webroot SecureAnywhere) or “opssvc.exe” (Online Protection System Service) is present in the list of currently running processes. If this is the case, 186 pings are sent to the localhost. This action doesn’t do anything on its own, but it does let the process sleep for roughly one second per ping, making the total sleep time three minutes.

Figure 5 - The batch script
Figure 5 - The batch script

Next, the existence of “avastui.exe” (Avast User Interface), “avgui.exe” (AVG), “bdservicehost.exe” (BitDefender Service Host), “nswscsvc.exe” (Norton Security), or “sophoshealth.exe” (Sophos) is checked. If any of these exists, environment variables are set to rename the AutoIT executable and script differently.

The creation of the AutoIT binary is done in steps. The first section of the file is copied by omitting the string “locatedflatrendsoperating” from the file named “Ukraine”, and saving it as “Champion.pif”. The “/V” option omits the provided argument and outputs the rest of the data. In the “copy” command thereafter, all files are concatenated to restructure the AutoIT executable. The final “copy” command recreates the malicious AutoIT script, which is started directly afterwards.

AutoIT

The usage of AutoIT in malware isn’t new, but the usage of benign software for a malicious purpose does make the detection more difficult. The strings within the script are obfuscated. To deobfuscate them, one can utilize the following Python snippet.

Figure 6 - Python code to deobfuscated strings within the AutoIT code
Figure 6 - Python code to deobfuscated strings within the AutoIT code


The execution flow continues with the execution of the AutoIT script, which performs additional checks to avoid executing in sandboxes. The check for the computername relates to Kaspersky’s and Avast’s sandboxes. The check for a file located at “C:\aaa_TouchMeNot_.txt” is to avoid Windows Defender Emulator. These checks, shown in the screenshot below, are also found in a case described by TrendMicro in early 2021.

Figure 7 - The environmental checks
Figure 7 - The environmental checks


The sequence mentioned above is repeated until administrative permissions have been granted.

The Windows “ntdll.dll”’s .text section is then copied over the in-memory one. This technique is meant to remove user-land hooks set by antivirus software. More information about this topic can be found on MalwareTech’s blog. The execution flow then continues by loading shellcode.

Figure 8 - The unhooking code
Figure 8 - The unhooking code


The shellcode is either 32-bits or 64-bits, based on the architecture of the victim’s machine. The shellcode, and related code, is shown below.

Figure 9 - The shellcode related code
Figure 9 - The shellcode related code


The payload is then decrompressed. Compressed data is, often, less suspicious as it cannot be executed directly. Additionally, it is smaller and can therefore more easily be included within a payload without increasing the file size significantly.

Figure 10 - The shellcode decompression code
Figure 10 - The shellcode decompression code


The exact Windows API calls to perform process hollowing are shown in the image below, taken from the AutoIT script.

Figure 11 - The process injection related code
Figure 11 - The process injection related code


The screenshot below shows the execution stages of the shellcode and the injection into “RegAsm.exe”, which is started in a suspended state. This is indicative of the aforementioned process hollowing method to inject code.

Figure 12 - Decryption in memory
Figure 12 - Decryption in memory

Wiper analysis

The wiper is the final payload in the execution chain. It starts by extracting two files from its resources and placing them into the same folder as the wiper is in. If such a file already exists, it is deleted. The files are originating a benign open-source project which aims to list the processes which are using a specific file.

Figure 13 - The wiper’s main function
Figure 13 - The wiper’s main function

If the first command-line argument equals “ConfirmDeleteFiles” (case sensitive) exists, the first messagebox will be skipped. If executed without any command-line arguments, or with another value for the first argument, the wiper will ask if the CrowdStrike “update” should be started. Only if the answer is yes (or if the first command-line argument is equal to the given string), the next messagebox will be shown.

The second messagebox awaits until the single “OK” button is pressed, after which the “Service” object is declared and instantiated, after which the “Run” method is called.

The main wiper logic is found within the “Run” function. Before wiping, the victim’s IP is obtained via a request to Major Hayden’s often misused icanhazip.com, along with the username, machine name, domain name, Windows drive, and the free and total space on each available disk. The image below shows most of the corresponding code.

Figure 14 - The code related to the gathering of information prior to the start of the wiping
Figure 14 - The code related to the gathering of information prior to the start of the wiping

While iterating over all the drives, folders which match wipe criteria are also saved, used for wiping later on. The wiper will then post the gathered information to a Telegram channel/group controlled by the actor, as to update the actor on the wiper’s activity along with information about the victims. The files are wiped per category such as “Windows drive” or “other drives”, where the wiping of each category is done within a separate thread. Prior to the wiping, another update is sent to the Telegram channel/group, per category. Once the wiping is done, the empty directories are deleted. The screenshot below shows the code related to this segment.

Figure 15 - The deletion process for one category
Figure 15 - The deletion process for one category

The actual wiping of files is done using the “OverwriteFileBlockAndDelete” function. The wiping checks if the machine name is equal to “Gaza hackers Team Handala Machine”, which might be put in to correlate with the claim laid on social media by the group, or to avoid running it on their development machine.

Figure 16 - The file overwrite logic
Figure 16 - The file overwrite logic

They then overwrite the file by calling “OverwriteFileBlockSize4096”. This function, shown in the image below, overwrites 4096 bytes with random data, as long as chunks of 4096 bytes are present within the file. The random bytes are generated once before wiping, and are reused for all chunks of 4096 bytes for the specific file.

If the remaining chunk is less than 4096 bytes, a new array is created with the exact size, which is then used to overwrite the last bit of the file. Note that this last array is not filled with random data, but with zeroes.

Figure 17 - Code used to overwrite a file
Figure 17 - Code used to overwrite a file

Once the file has been overwritten, an attempt is made to delete it. If this fails because the process is in use, the previously loaded OpenFileFinder library is used to free the file. The callback function provided as an argument is called once the function returns. The argument provided to the callback function contains the process ID of the process which uses the file. With this process ID, an attempt is made to terminate the process and subsequently delete the file, as it should be no longer in use. The function is given below.

Figure 18 - The callback function for a file which is in use
Figure 18 - The callback function for a file which is in use

The described wiping process continues for all targeted files, after which the wiper shuts down.

Attribution

While some actors attempt to hide and operate without any public activity, the Handala group is very vocal and public about their attacks. They claimed the wiper attack, also shown in the screenshot below, and have shared articles from news outlets and researchers alike. This matches the activist nature of the group.

Figure 19 - Handala’s claim of this campaign
Figure 19 - Handala’s claim of this campaign

Within the wiper itself is another reference to the group. The string, “Gaza Hackers Team Handala Machine” is used to only execute the wiper on systems which do not have said name. If this is done to avoid accidental execution on the creator’s machine(s) remains unknown, as the aforementioned messagebox already avoids accidental execution.

Figure 20 - Handala’s name embedded as a string within the wiper
Figure 20 - Handala’s name embedded as a string within the wiper

The code within this wiper overlaps significantly with the previous wiper the Handala group released, although changes have been made. The previous campaign also targeted Israeli entities, and the threat actor also claimed the responsibility.

The main code overlap can be found in the usage of a messagebox dialog which asks the user if the execution should continue. The given reason differs between the versions, as it's either an unnamed system update or a CrowdStrike “fix”. The screenshot below shows the previous wiper’s main function.

Figure 21 - The older wiper’s main function
Figure 21 - The older wiper’s main function

The first version has additional checks with regards to avoiding execution while already running on the system, and to check the granted permissions, as can be seen in the first few lines of the main function in the screenshot above. Also note how the check for the presence and value of the first command-line argument equals “ConfirmDeleteFiles” in the older version.

The body of the first else-clause within the above-shown main function, is what remains (with minor edits) in the most recent wiper version, as the first has been removed, along with the code above the first if-statement.

One other detail is the used symbol name for the function to delete directories, which is the same in both samples: “DeleteDirectorys”.

While code overlap itself can be telling with regards to attribution, the two wiper files can be linked with more than just that. The TypeLib ID is a global unique identifier (GUID) which is generated by Visual Studio upon the creation of a project solution. Reusing the same project for a different purpose will not alter the GUID, although one can manually change it. Brian Wallace wrote about this specifically in a blog for BlackBerry in 2015.

The TypeLib ID for the old and new wiper is exactly the same, which makes it highly likely that the actor reused the old wiper code and merely made changes to it. Reusing an existing GUID is possible, but given the claims on social media by the actor, the overlap in code, and the likely reuse of the Visual Studio solution, we attribute this campaign with high confidence to the Handala group.

Conclusion

The adaptation from actors to change their lures based on recent events shows that defenders have to be ever vigilant and face a continuously raising the bar. Even if the attacks following the lure aren’t sophisticated, they can still damage your organization, especially if there is panic and/or haste involved.

Continuous monitoring of the underground and malware landscape is of importance to anticipate coming attacks. Even if threat groups create a novel malware family for their attack, knowing more about them will give a defensive edge over said threat groups.

IOCs

PDF: 22e9135a650cd674eb330cbb4a7329c3

Zip: d32f89a8a3dd360db3fa9b838163ffa0

CrowdStrike.exe 755c0350038daefb29b888b6f8739e81

Carroll.cmd 9fab9f640db1f75fb8c18bfb50976abd

AutoIT.exe 6ee7ddebff0a2b78c7ac30f6e00d1d11 (non malicious )

AutoIT Script fca0910949d92dc3dd3dfcf0fb3d0408

Wiper : 2a5dd680c05b43d72365e8beb7e40088

SecureDeleteFilesConsole.ListOpenedFileDrv_32.sys : da663d3ea0c818a60292e5239ef23dae (non malicious )

SecureDeleteFilesConsole.OpenFileFinder.dll : 3663bce9a86d8a619dcb64dc6ffbadee (non malicious )

Telegram BotKey : 7277950797:AAF99Nw5rAT1BHnMmwY_tQNYJFU3dYJ5RHc

Telegram ChatID : 7436061126

hxxps://link[.]storjshare[.]io/s/jwyite7mez2ilyvm2esxw2jq3apq/crowdstrikeisrael/update.zip?download=1Files:

hxxps://link[.]storjshare[.]io/s/jvktcsf5ypoak5aucs6fn6noqgga/crowdstrikesupport/update.zip?download=1

hxxps://link[.]storjshare[.]io/s/jwyite7mez2ilyvm2esxw2jq3apq/crowdstrikeisrael/update.zip?download=1

similar sample : 8678cca1ee25121546883db16846878b

Product Signature

Network Security (NX)

Detection as a Service

Email Security (EX)

IVX

File Protect

IPS

  • FEC_Dropper_NSIS_Generic_4
  • FEC_Trojan_BAT_Generic_59
  • FE_Wiper_MSIL_Handala_1
  • FEC_Loader_AutoIt_Generic_5
  • FE_Wiper_MSIL_Generic_1
  • FE_Wiper_MSIL_Handala_2
  • Trojan.Win.Generic.MVX
  • Wiper.Win.Generic.MVX
  • Trojan.MSIL.Generic
  • Malware.Binary.exe
  • Trojan.Autoit
  • BOT: Handala Wiper C2 Exfil Activity Detected
  • FE_EMAIL_MALICIOUS_BODY_512472
Endpoint Security (HX)
  • Trojan.GenericKD.73607723
  • Trojan.GenericKD.73615852
  • Trojan.GenericKD.73619602
  • CMD COPY MULTIPLE FILES (METHODOLOGY)
  • SEARCH ANTIVIRUS PRODUCTS (METHODOLOGY)
  • CMD WRITING FILES WITH PIF EXTENSION (METHODOLOGY)
  • PROCESS WITH PIF EXTENSION LOADING DLL (METHODOLOGY)
  • PROCESS WITH PIF EXTENSION WRITING FILES (METHODOLOGY)
  • PROCESS WITH PIF EXTENSION MODIFYING REGISTRY (METHODOLOGY)
  • PROCESS FROM USERS LAUNCHING REGASM FILEWRITES (METHODOLOGY)
  • SUSPCIOUS PROCESS WITH PIF EXTENSION EXECUTION (METHODOLOGY)
Endpoint Security (ENS)
  • Generic .ngg
  • Generic..j
Helix
  • WINDOWS METHODOLOGY [Suspicious AV Search]
  • WINDOWS METHODOLOGY [Suspicious Parent of Autoit3]
EDR
  • Created and executed AutoIt3 binary
  • Created and executed regasm lolbin (Potential malware behaviour)
  • masqueraded Lolbins execution and created required files to locate and open files
  • Suspicious activity detected checking the presence of file related to Windows Defender Emulator
  • Suspicious process detected checking for multiple security process (Trojan Activity)
  • Suspicious file masquerading as benign file was created and executed (Trojan Activity)
  • Reassembled binary files via copy command and executed from suspicious path
  • reassembled AutoIt binary files via copy command and executed from suspicious path
  • Suspicious execution of AutoIt3 binary and accessed hidden windows
  • Malicious activity detected deleting files from the system (Handala's Wiper)
  • Malicious activity detected deleting files from the system

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.