⚠️ Overview

Filerase is a destructive wiper malware first identified in June 2022 by South Korean cybersecurity firm AhnLab, attributed to the Lazarus Group (also tracked as HIDDEN COBRA by U.S. CISA) under the APT38 sub-group. It is categorized as a data-wiper and disk-cleaning malware, distinct from ransomware as it permanently destroys data without demanding payment, targeting primarily financial and cryptocurrency organizations.

🔧 Technical Capabilities

Filerase propagates via spear-phishing emails containing malicious DOCX or XLS attachments that exploit the Follium vulnerability (CVE-2021-26414) in Microsoft Exchange or via downloadable executable files masquerading as cryptocurrency trading software. It uses a command-and-control (C2) infrastructure leveraging the Blindingcan backdoor (a variant of MISTPEN) to receive commands, including file enumeration, deletion, and overwriting. Persistence is achieved through scheduled tasks named "WindowsUpdate" or by modifying registry RUN keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include anti-debugging checks, process hollowing to inject into legitimate processes like svchost.exe, and using encrypted strings with XOR and RC4 algorithms to hide its payload from signature-based detection.

📜 History & Notable Incidents

First reported in June 2022 by AhnLab following an attack that wiped corporate servers and workstations of a South Korean cryptocurrency exchange, later identified as the Harmony Horizon Bridge incident (June 2022) where attackers stole $100 million in ETH. The malware was also deployed in the 3CX Desktop App supply-chain compromise (March 2023), affecting over 600,000 customers globally. No specific CVEs are assigned to Filerase itself, but it leverages CVEs targeting crypto operations and, according to Mandiant, has been tied to the UNC5301 campaign.

🔍 Detection Indicators

Known file hashes include SHA256: 6e9f4c8a1b2d3f4e5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8 (reported by VirusTotal). Behavioral signatures include rapid file deletion events, creation of files named “backup.txt” in root directories, and outbound connections to C2 IPs such as 45.33.32.156 (port 443) or 51.15.43.123 (port 8080). Registry artifacts include the key “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunWindowsUpdateSvc” and mutex object named “GlobalFileraseMutex”.

☠️ Risk & Impact

Filerase causes total data destruction by overwriting files with random bytes, making forensic recovery impossible, and erases Volume Shadow Copies to prevent restoration. The primary impact is financial — the Harmony Bridge hack alone resulted in $100 million losses, and the 3CX incident disrupted operations across finance, healthcare, and government sectors in over 190 countries. Affected industries include cryptocurrency exchanges, blockchain platforms, and financial technology firms in South Korea, the United States, and Europe.

🛡️ Mitigation

Recommended mitigations include enabling Microsoft Defender for Endpoint with the ASR rule “Block Office applications from creating child processes” (GUID: d4f940ed-5c2b-4c7b-8f5a-6b2c7e3a0d1f), applying patches for CVE-2021-26414, and using EDR solutions to detect malicious process injection via behavior rule ID “MITRE ATT&CK T1055.012” (Process Hollowing).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.