Damaging “HermeticWiper” malware strikes Ukraine

Picture: solarseven, Getty Pictures/iStockphoto

Ukraine is affected by a variety of cyberattacks. Some of the attention-grabbing ones is a beforehand unknown malware with harmful payload that has popped up on tons of of Ukrainian machines these days.

On Feb. 23, a tweet from ESET Analysis claims they found a brand new malware that wipes knowledge, utilized in Ukraine. The timeline follows the DDoS assaults aimed toward a number of essential Ukrainian web sites (Determine A). The analysis was rapidly confirmed by Symantec, a division of Broadcom Software program.

Determine A

Picture: Twitter. ESET Analysis pronounces the invention of a brand new wiper malware concentrating on Ukraine.

A fancy timeline of cyber occasions concentrating on Ukraine

Previous to the DDoS operations and the invention of this new wiper, one other assault struck Ukraine in the midst of January, dubbed WhisperGate, uncovered by Microsoft on Jan. 15.

Microsoft reported that WhisperGate had been dropped on sufferer techniques (a number of authorities, non-profit and knowledge expertise organizations) in Ukraine on Jan. 13. The malware has been designed to seem like a ransomware, however it truly had no ransom restoration code within the binary file. It has been developed to be harmful and render its targets unusable.

SEE: Password breach: Why popular culture and passwords don’t combine (free PDF) (TechRepublic)

In parallel to this primary wiper operation, a collection of web site assaults occurred within the night time between Jan. 13 and 14, as reported by the CERT-UA, the official authorities staff for responding to pc incidents in Ukraine.

A number of Ukrainian web sites have been defaced to indicate a message written in Ukrainian, Russian and Polish languages (Determine B). WhisperGate was additionally dropped and used on these web sites. In response to the Ukrainian State Service for Particular Communication and Data Safety, on Jan. 13-14, 2022, almost 70 Ukrainian web sites (home and worldwide) have been attacked.

Determine B

Picture: Talos. Picture proven on compromised Ukrainian web sites.

The message roughly translated to English, is:

“Ukrainian! All of your private knowledge has been despatched to a public community. All knowledge in your pc is destroyed and can’t be recovered. All details about you stab public, fairy story and anticipate the worst. It’s for you to your previous, the longer term and the longer term. For Volhynia, OUN UPA, Galicia, Poland and historic areas.”

The message proven on the defaced web sites was a picture. Pictures, in contrast to textual content, have metadata, typically together with bodily coordinates. On this case, the picture had a particular latitude and longitude: a car parking zone of the Warsaw Faculty of Economics in Poland. The selection of utilizing a picture relatively than textual content was in all probability performed to ship a false flag, reminiscent of that GPS place.

Serhiy Demedyuk, the deputy secretary of the nationwide safety and protection council of Ukraine, blamed the assault on a gaggle dubbed UNC1151. He added that UNC1151 is a cyber-espionage group affiliated with the particular providers of the Republic of Belarus.

On Feb. 15, new DDoS assaults began in opposition to the Ukrainian Ministry of Protection along with different targets.

The following occasion on this large collection of occasions was the looks of the HermeticWiper malware.

HermeticWiper: A really environment friendly, harmful malware

Feb. 23 noticed the looks of stories about HermeticWiper, as ESET began a Twitter thread about it.

Technical evaluation rapidly adopted. HermeticWiper is a bit of malware whose goal is to render Home windows gadgets unusable by wiping elements of it (Determine C).

Determine C

Picture: Thomas Roccia. Overview of HermeticWiper.

One notably attention-grabbing attribute of this wiper is that it’s a very well-written malware with only a few normal features, in contrast to many of the different malware unfold round.

The strategy it makes use of for wiping knowledge has been used up to now by just a few menace actors with the notorious wipers Shamoon and Destover: It abuses a respectable Home windows partition supervisor driver to carry out its writing operations. Within the case of HermeticWiper, an EaseUS partition supervisor (empntdrv.sys) was abused.

The malware accommodates a number of totally different variations of the driving force and makes use of the suitable one relying on the working system model and structure it runs on. These totally different driver variations are compressed as ms-compressed assets inside the malware binary. Because the malware is barely 114KB, this driver knowledge takes greater than 70% of it.

One of many first actions performed by HermeticWiper consists of disabling the quantity shadow copy, a system that may assist directors to revive a crashed system.

HermeticWiper then corrupts the Grasp Boot File (MBR) of the gadget, and wipes recordsdata in several strategic folders of the Home windows working system:

  • C:Paperwork and Settings
  • C:System Quantity Data
  • C:WindowsSYSVOL
  • C:WindowsSystem32winevtLogs

The final harmful motion consists of figuring out if the onerous drive’s partition file system is FAT or NTFS and corrupts the partition accordingly. As soon as performed, the system is pressured to close down and can by no means be capable to boot once more.

By doing this, the malware ensures the system is completely unusable.

To this point, HermeticWiper has solely been unfold and utilized in Ukraine. On a sidenote, the identify of this malware comes from the truth that it makes use of a signed certificates from firm identify Hermetica Digital Ltd and was legitimate as of April 2021. In response to SentinelOne’s analysis on HermeticWiper, “it’s potential that the attackers used a shell firm or appropriated a defunct firm to concern this digital certificates.”

The best way to keep protected from HermeticWiper?

Utilization of HermeticWiper exterior of Ukraine shouldn’t be anticipated. Indicators of compromise (IOC) have been shared along with YARA guidelines to assist detect the malware on techniques.

Not like different malware whose actions are usually managed by a menace actor through community communications, HermeticWiper doesn’t want any. Due to this fact, there is no such thing as a community sample to research for detecting the malware, besides whether it is downloaded from a community, wherein case it is likely to be helpful to deploy deep packet inspection (DPI) to detect the binary. Endpoints must be scanned for these IOCs.

Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.