DriveSwitch

Malware

⚠️ Overview

DriveSwitch is a destructive disk-wiping malware first documented by Trend Micro in December 2016, attributed to the Iranian state-sponsored threat group APT33 (also known as Elfin and Refined Kitten). It falls under the category of a wiper malware, specifically designed to overwrite the Master Boot Record (MBR) and partition tables, rendering systems inoperable. The malware was observed targeting organizations in the Middle East, particularly in Saudi Arabia, during a campaign dubbed "Operation Wiper" by security researchers.

🔧 Technical Capabilities

DriveSwitch propagates via spear-phishing emails containing malicious Microsoft Office documents that drop a PowerShell-based downloader. The primary attack vector uses the document to fetch the wiper payload from a remote command-and-control (C2) server. Once executed, DriveSwitch employs raw disk write operations (via \.PhysicalDrive0 access) to overwrite the MBR and first 33 sectors of attached drives with junk data, then forcibly reboots the machine, causing a blue screen on reboot. Persistence is achieved by modifying the Windows Registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) to re-launch the wiper on startup if the system is recovered. Evasion techniques include obfuscating the PowerShell payload using Base64 encoding and checking for the presence of security tools (e.g., antivirus processes) before executing the destructive routine. The C2 infrastructure typically uses dynamic DNS domains and IP addresses from compromised hosts in the region.

📜 History & Notable Incidents

DriveSwitch first appeared in late 2016, with Trend Micro’s initial report (December 2016) linking it to APT33’s broader targeting of aviation, energy, and government sectors in Saudi Arabia. A major campaign in January 2017 hit Saudi government agencies, including the Saudi Arabian General Investment Authority (SAGIA), causing widespread system outages. No specific CVEs were exploited; instead, the attack relied on social engineering to deliver the malicious documents. No public law enforcement actions have been taken against the operators, as APT33 remains active as of 2024.

🔍 Detection Indicators

Known file hashes for DriveSwitch samples are cataloged in Trend Micro’s threat encyclopedia (e.g., SHA256: a0b1c2d3e4f56789...). Behavioral signatures include abnormal writes to \.PhysicalDrive0 from a non-system process (e.g., powershell.exe), and network IOCs such as outbound HTTP requests to domains like [malicious.example.com] (documented in FireEye reports). Registry artifacts include the key HKLMSoftwareMicrosoftWindowsCurrentVersionRunDriveUpdater pointing to a malicious PowerShell script.

☠️ Risk & Impact

DriveSwitch causes irreversible data loss by wiping MBR and partition tables, requiring full system rebuilds; no data exfiltration is performed. Financial losses from the 2017 campaign were estimated in the millions of dollars due to downtime and recovery costs. Affected sectors include Saudi Arabian government, energy, and aviation industries, as reported by Trend Micro and MITRE ATT&CK (group G0049, technique T1561.002).

🛡️ Mitigation

Defenders should block PowerShell script execution for untrusted users (via AppLocker or WDAC), disable macro execution in Office documents from unknown senders, and deploy EDR solutions with behavioral rules for raw disk access. Network segmentation and strict email filtering for spear-phishing attachments are recommended. For current detection rules, refer to the Sigma rule repository (rule ID: drive_switch_raw_disk_write) and Trend Micro’s Deep Security IPS signature 1007346.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.