OVERVIEW
The HermeticWiper malware variant was first identified by researchers from ESET and Broadcom’s Symantec on February 23, 2022 and has been observed attacking Ukrainian government and organizations during the tensions between Ukraine and Russia. The variant has been observed as a wiper, similar in purpose to the NotPetya attack in 2017 and the more recent WhisperGate wiper variant of January 2022, which is to destroy data and render it unrecoverable.
TARGETING
HermeticWiper, as of February 2022, has been observed being used in an active campaign targeting Ukrainian government and related organizations.
DELIVERY
Hermetic’s method of delivery has not been confirmed as of January 2022, but speculation says it can be delivered as email attachments, malicious links, and social engineering. It was reported that one of the targeted organizations had the wiper dropped via GPO, meaning it already had initial access.
INSTALLATION
HeremeticWiper has been observed being installed by a malicious code-signed application, allowing it to circumvent initial security tooling. Then abuses legitimate drivers from EaseUS partition master software to execute the data corruption system wide.
PERSISTENCE
Persistence is achieved through the observed corruption of the Master Boot Record on all physical drives associated, rendering the victim host unrecoverable.
Threat Update – 3 March 2022
Two additional hunt packages have been released pertaining to HermeticWiper.
One package focuses on the registry detection for the service creation behavior
associated with HermeticWiper. This allows for more logs to be utilized for
identification. The other package focuses on the deployment technique used by
HermeticWizard to bypass application whitelisting, which is common with
circumventing AppLocker in order to deploy HermeticWiper in a victim’s
environment
Threat Update – 24 Feb 2022
Threat Summary
The HermeticWiper malware variant was first identified by researchers from ESET and Broadcom’s Symantec on February 23, 2022 and has been observed attacking Ukrainian government and organizations during the tensions between Ukraine and Russia. The malware’s emergence comes after DDOS (Distributed denial of service) attacks against Ukrainian websites right before discovery. The name “Hermetic” is derived from the name of the Cypriot company that the certificate was issued to “Hermetica Digital”. As for specific intent and targets, these have not been identified explicitly as of yet but due to the events occurring in parallel, systems within or associated to Ukraine should be prepared accordingly – with hundreds of computers on their networks being already targeted since its discovery.
The variant has been observed as a wiper, similar in purpose to the NotPetya attack in 2017 and the more recent WhisperGate wiper variant of January 2022, which is to destroy data and render it unrecoverable. The difference that is seen in HermeticWiper (in addition to the utilization of a code signed certificate) is the abuse of legitimate drivers for data corruption. Although currently targeting Ukraine and due to the “freshness” of this variant upon writing, the potentiality of this malware or a modified version of it or its techniques being utilized by another threat group is feasible.
Threat Synopsis
The HermeticWiper malware variant was discovered targeting Ukraine government and organizations affiliated in late Febuary 2022 during the ongoing Ukraine-Russia conflict, with observed intentions to cause irreparable data loss to targeted victims via data corruption. The initial distribution of HermeticWiper could be via common vectors, such as email attachments, malicious links, and social engineering – however it was reported that one of the targeted organizations had the wiper dropped via GPO, meaning that they were already compromised before the use of HermeticWiper.
In order to avoid detection from security tools, the variant is signed by a digital certificate (under the company Hermetica Digital Ltd) and is a small application that comes in at around 114KBs in size. After execution, it abuses legitimate drivers from EaseUS partition master software in order to conduct the system wide data corruption. The data corruption combs the system and includes Windows Shadow Copies as well.
In continuation of the process, the malware enumerates Physical Drives and corrupts the Master Boot Record for every physical drive – SentinelOne states the variant operates differently depending on the type of partitions as well (FAT vs NTFS), choosing to parse the Master File Table initially for NTFS. It has been observed that the malware also enumerates common folders, registry and logs, as well as disabling crash dumps. It is at this point that the victim’s machine is restarted and rendered unusable after the wiper has run its course.
