1. Home
  2. Software
  3. MultiLayer Wiper

MultiLayer Wiper

MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed samples of MultiLayer Wiper have an anomalous, future compilation date suggesting possible metadata manipulation.[1]

ID: S1135
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 May 2024
Last Modified: 29 August 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

MultiLayer Wiper uses a batch script launched via a scheduled task to delete Windows Event Logs.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

MultiLayer Wiper removes the Volume Shadow Copy (VSS) service from infected devices along with all present shadow copies.[1]
Enterprise T1565 .001 数据操控: Stored Data Manipulation

MultiLayer Wiper changes the original path information of deleted files to make recovery efforts more difficult.[1]
Enterprise T1485 数据销毁

MultiLayer Wiper deletes files on network drives, but corrupts and overwrites with random data files stored locally.[1]
Enterprise T1083 文件和目录发现

MultiLayer Wiper generates a list of all files and paths on the fixed drives of an infected system, enumerating all files on the system except specific folders defined in a hardcoded list.[1]
Enterprise T1027 .009 混淆文件或信息: Embedded Payloads

MultiLayer Wiper contains two binaries in its resources section, MultiList and MultiWip. MultiLayer Wiper drops and executes each of these items when run, then deletes them after execution.[1]
Enterprise T1561 .002 磁盘擦除: Disk Structure Wipe

MultiLayer Wiper opens a handle to \\\\.\\PhysicalDrive0 and wipes the first 512 bytes of data from this location, removing the boot sector.[1]
Enterprise T1070 移除指标

MultiLayer Wiper uses a batch script to clear file system cache memory via the ProcessIdleTasks export in advapi32.dll as an anti-analysis and anti-forensics technique.[1]
.001 Clear Windows Event Logs

MultiLayer Wiper removes Windows event logs during execution.[1]
.004 File Deletion

MultiLayer Wiper uses a batch file, remover.bat to delete malware artifacts and the batch file itself during execution.[1]
.006 Timestomp

MultiLayer Wiper changes timestamps of overwritten files to either 1601.1.1 for NTFS filesystems, or 1980.1.1 for all other filesystems.[1]
Enterprise T1529 系统关机/重启

MultiLayer Wiper reboots the infected system following wiping and related tasks to prevent system recovery.[1]
Enterprise T1490 系统恢复抑制

MultiLayer Wiper wipes the boot sector of infected systems to inhibit system recovery.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

MultiLayer Wiper creates a malicious scheduled task that launches a batch file to remove Windows Event Logs.[1]

Groups That Use This Software

ID Name References
G1030 Agrius

MultiLayer Wiper is associated with wiping operations linked to Agrius.[1]

References

  1. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.