Threat Roundup: Lotus Wiper Targeting Energy Sector and Emerging Mobile Spyware

The latest Security Affairs Malicious Software Newsletter (Round 94) delivers a critical alert for defenders, particularly those managing Operational Technology (OT) and Critical Infrastructure environments. The headlining threat is Lotus Wiper, a destructive malware strain actively targeting the energy and utilities sector. Alongside this industrial threat, the bulletin details the evolution of mobile surveillance, including Morpheus Spyware linked to IPS Intelligence, and the emergence of DarkSword and Coruna exploit chains targeting iOS devices. Additionally, a new NGate variant demonstrates continued innovation in Android banking trojans.

For the enterprise SOC, the immediate priority is Lotus Waper. Wiper attacks are not ransomware; they do not seek financial extraction but rather operational destruction. The intent is denial of service and data eradication, necessitating a distinct defensive posture focused on resilience and rapid recovery rather than just negotiation prevention.

Technical Analysis

Lotus Wiper (Energy & Utilities Sector)

Type: Destructive Malware (Wiper)
Target Sector: Energy and Utilities (Critical Infrastructure)
Platform: Windows (likely impacting SCADA servers, HMIs, and associated IT workstations)
Mechanism: While specific CVEs are not always disclosed in initial wiper reports, the functionality typically involves overwriting the Master Boot Record (MBR), corrupting file systems, or mass-deleting files on network shares and local drives to prevent recovery.
Exploitation Status: Active targeting of the energy sector reported. This implies potential initial access via phishing, supply chain compromise, or exploitation of internet-facing industrial protocols.

Morpheus Spyware (Mobile)

Actor: Linked to IPS Intelligence
Capabilities: Surveillance capabilities including exfiltration of communications, GPS tracking, and microphone access.
Platform: Android (primarily), though cross-platform frameworks exist.

DarkSword & Coruna (iOS)

Platform: iPhone (iOS)
Vector: Likely exploit chains (zero-day or n-day) targeting kernel or browser vulnerabilities to bypass sandbox protections.
Status: Confirmed active research and deployment in intelligence operations.

NGate Variant (Android)

Type: Banking Trojan
Evolution: New variant employs obfuscation techniques to hide within legitimate-looking apps or system processes, focusing on NFC/OTP interception.

Detection & Response

Given the severity of Lotus Waper for enterprise defenders, the detection rules below focus on the precursors and execution patterns common to wiper malware in Windows environments. Defenders should hunt for the mass deletion of shadow copies and the abrupt termination of security services.

YAML

---
title: Potential Waper Activity - VSS Shadow Copy Deletion
id: 8a2b3c4d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects attempts to delete Volume Shadow Copies, a common precursor to wiper attacks to prevent recovery.
references:
  - https://securityaffairs.com/191312/malware/security-affairs-malware-newsletter-round-94.html
author: Security Arsenal
date: 2024/06/01
tags:
  - attack.impact
  - attack.t1485
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wbadmin.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'delete backup'
  condition: selection
falsepositives:
  - Legitimate system administration tasks (rare)
level: high
---
title: Potential Waper Activity - Boot Configuration Modification
id: 9b3c4d5e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects modifications to boot configuration or recovery agents often used by wipers to prevent system restoration.
references:
  - https://securityaffairs.com/191312/malware/security-affairs-malware-newsletter-round-94.html
author: Security Arsenal
date: 2024/06/01
tags:
  - attack.defense_evasion
  - attack.t1562.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\bcdedit.exe'
      - '\reagentc.exe'
    CommandLine|contains:
      - '/delete'
      - '/disable'
  condition: selection
falsepositives:
  - Authorized IT maintenance
level: medium
---
title: Potential Waper Activity - Mass File Encryption or Overwrite
id: 0c4d5e6f-7a8b-6c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects rapid file modifications or overwrites indicative of wiper behavior, often using tools like cipher or sdelete.
references:
  - https://securityaffairs.com/191312/malware/security-affairs-malware-newsletter-round-94.html
author: Security Arsenal
date: 2024/06/01
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: process_creation
  product: windows
detection:
  selection_tool:
    Image|endswith:
      - '\cipher.exe'
      - '\sdelete.exe'
  selection_params:
    CommandLine|contains:
      - '/w'
      - '-p 3'
  condition: 1 of selection*
falsepositives:
  - Legitimate disk wiping routines during hardware decommissioning
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for the sequence of events typical in a waper attack: disabling recovery followed by data destruction.

KQL — Microsoft Sentinel / Defender

let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Identify execution of system administration tools used for destruction
| where FileName in~ ("vssadmin.exe", "wbadmin.exe", "bcdedit.exe", "cipher.exe")
| extend CommandArgs = tostring(ProcessCommandLine)
// Filter for destructive arguments
| where CommandArgs contains "delete" 
   or CommandArgs contains "/disable" 
   or CommandArgs contains "/w"
| project Timestamp, DeviceName, AccountName, FileName, CommandArgs, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for active processes or evidence of wiper execution on endpoints, focusing on the specific tools identified in the newsletter summary.

VQL — Velociraptor

-- Hunt for active wiper-related processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'vssadmin.exe'
   OR Name =~ 'wbadmin.exe'
   OR Name =~ 'cipher.exe'
   OR Name =~ 'bcdedit.exe'

-- Hunt for evidence of deleted VSS copies in recent event logs
SELECT System.TimeCreated, EventData, Message
FROM parse_xml(xpath=concat('//Event[', 
  'System[EventID=1 or EventID=4688]', 
  ']'))
WHERE Message =~ 'delete'
  AND Message =~ 'shadows'

Remediation Script (PowerShell)

Warning: If a waper is suspected, immediate isolation of the host is required before running scripts to prevent spread. This script checks the status of critical recovery mechanisms and ensures the Volume Shadow Copy Service (VSS) is operational if the host is safe.

PowerShell

# Validate and Enable Critical Recovery Services for Wiper Resilience
Write-Host "[+] Checking Volume Shadow Copy Service (VSS) Status..." -ForegroundColor Cyan
$vssService = Get-Service -Name VSS -ErrorAction SilentlyContinue

if ($vssService.Status -ne 'Running') {
    Write-Host "[!] WARNING: VSS Service is not running. Attempting to start..." -ForegroundColor Red
    try {
        Start-Service -Name VSS -ErrorAction Stop
        Write-Host "[+] VSS Service started successfully." -ForegroundColor Green
    } catch {
        Write-Host "[-] Failed to start VSS Service. Manual intervention required." -ForegroundColor Red
    }
} else {
    Write-Host "[+] VSS Service is Running." -ForegroundColor Green
}

# Check WinRE (Windows Recovery Environment) Configuration
Write-Host "[+] Checking Windows Recovery Environment (WinRE) status..." -ForegroundColor Cyan
try {
    $reAgentStatus = reagentc /info
    # Parse output to check if Windows RE is enabled
    if ($reAgentStatus -match "Windows RE status:\s*Enabled") {
        Write-Host "[+] Windows Recovery Environment is Enabled." -ForegroundColor Green
    } else {
        Write-Host "[!] WARNING: Windows RE is Disabled. Enabling..." -ForegroundColor Red
        reagentc /enable
    }
} catch {
    Write-Host "[-] Error checking WinRE status." -ForegroundColor Red
}

Write-Host "[+] Remediation check complete. Verify offline backups immediately." -ForegroundColor Cyan

Remediation

Immediate Actions for Energy/Utilities Sector

Isolate Affected Systems: If Lotus Waper is detected, physically or logically disconnect impacted OT/IT networks immediately to prevent the wiper from propagating to SCADA controllers or shared network drives.
Preserve Artifacts: Do not reboot or power down impacted servers if possible; capture memory dumps to analyze the wiper's initial vector.
Verify Offline Backups: Wipers target backup servers. Ensure you have verified, offline (immutable) backups that were not connected to the network during the compromise.

Mobile Threat Mitigation (Morpheus, DarkSword, NGate)

Patch iOS Devices: Update all managed iOS devices to the latest version immediately to patch the vulnerabilities exploited by DarkSword and Coruna.
MDM Enforcement: Ensure Mobile Device Management (MDM) policies restrict side-loading (Android) and enforce strong passcodes to complicate exploitation chains.
App Vetting: Ban the specific NGate variants and related malware hashes identified in the Security Affairs newsletter from your enterprise mobile app stores.

Vendor Advisory References

CISA KEV Catalog: Monitor for additions regarding Lotus Waper or associated ICS vulnerabilities.
Vendor advisories for your specific ICS/OT vendors (e.g., Siemens, Rockwell, Schneider Electric) regarding wiper indicators.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub