The Sandworm group’s activities are a quite frequent topic at Virus Bulletin conferences. And there is no doubt why – it’s arguably the most dangerous APT group. Throughout the years of its existence, the Sandworm APT has performed a number of notorious destructive attacks, including the first-ever malware-driven electricity blackout (Kiev, December 2015), the costliest cyberattack ever (NotPetya), and attacks against entities that were involved in organizing the 2018 Winter Olympics in Pyeongchang (Olympic Destroyer).

In October 2020, the US Department of Justice published an indictment against six computer hackers who allegedly prepared and conducted the Sandworm attacks. The indictment contains detailed descriptions of attacks that have been performed during the past few years. Some of these details were already known, but some of them were published for the first time in the indictment.

After careful examination of the indictment, we were able link an activity we observed back in 2019 to Sandworm. At that time, Sandworm attackers used a previously unreported malware toolkit with an interesting and rare Windows persistence mechanism (time provider).

Our presentation reveals details about that activity and provides an in-depth analysis of the malware. In addition, we will discuss detection opportunities for the technique used by this malware.

Got a question about this presentation? To get in touch with the speakers, contact Anton Cherepanov by email on [email protected] or on Twitter at @cherepanov74, or Robert Lipovsky on Twitter at @Robert_Lipovsky.