About me

Nullam nec elit quis tortor aliquam venenatis a ac enim. Quisque iaculis orci ante, eu tincidunt arcu tempor vitae. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Suspendisse malesuada ante dictum, auctor elit semper, semper dui.

Hermetic Wiper

Hermetic Wiper
April 19, 2022
by

Threat Description

Hashes: 912342f1c840a42f6b74132f8a7c4ffe7d40fb77, 61b25d11392172e587d8da3045812a66c3385451

Icon:

HermeticWiper was found deployed in some Ukrainian organizations a day before the Russian invasion on February 24, 2022. This malware was given the name “HermeticWiper” based on a stolen digital certificate from a company called Hermetica Digital Ltd.  The malware was compiled on December 28, 2021 as seen on its file properties.

Code signing certificate used by HermeticWiper

Initial Access

Based on the reported incidents, this malware was deployed through the default domain policy (GPO). Some incidents also reported that it was employed using impacket’s wmiexec.py or using a  custom worm known as HermeticWizard.

In any case, it is believed that the threat actors have access to the network before deploying this malware.

Analysis

HermeticWiper is a Windows executable with embedded binaries in its resource section. These are legitimate drivers from the EaseUS Partition Master software.

Resource section of HermeticWiper containing drivers from EaseUS Partition software

Hashes of the extracted drivers:

  • DRV_X64 : 0E84AFF18D42FC691CB1104018F44403C325AD21
  • DRV_X86 : 379FF9236F0F72963920232F4A0782911A6BD7F7
  • DRV_XP_X64 : 87BD9404A68035F8D70804A5159A37D1EB0A3568
  • DRV_XP_X86 : B33DD3EE12F9E6C150C964EA21147BF6B7F7AFA

Before installing these drivers, it adjusts its privileges, SeShutdownPrivilege” and “SeBackupPrivilege” which allow the malware to reboot the system and manipulate system backups.

Adjusting privileges

It extracts the driver from its resource and installs it as a service. It drops the .sys file with a random 4 letter name, i.e., jldr.sys.

Creates a service using a random 4-letter name

It also disables the crash dump which contains a snapshot of the system at the time of the crash.

Disabling crash dump

 

It disables the Volume Shadow Copies to prevent backups

Disable volume shadow copies

 

It overwrites the master boot record (MBR) and the master file table (MFT) with random bytes, which is the true destructive function and makes the system unbootable.

overwrites MBR

It also overwrites $Bitmap and $Logfile and files inside C:\Documents and Settings. $Bitmap contains information about free and occupied clusters and $Logfile contains a log of transactions that happened in the filesystem.

overwrites $Bitmap and $logfile and files under C:\Documents and Settings

 

Finally, it initiates the shutdown to reboot the system. Since the MBR was overwritten, the system will not boot.

Some systems would crash even before reaching the shutdown process. In one of our tests, the system crashed after running the wiper malware for several minutes.

Some systems may experience the BSOD

Indicators of Compromise

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d
23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4
8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b
96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84

 

 

Reference

https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/

Share
Related posts
AgentTesla
AgentTesla
April 19, 2022
by
“Springshell” Vulnerability
“Springshell” Vulnerability
April 19, 2022
by
Blackbyte Ransomware
Blackbyte Ransomware
April 19, 2022
by