Hashes: 912342f1c840a42f6b74132f8a7c4ffe7d40fb77, 61b25d11392172e587d8da3045812a66c3385451
HermeticWiper was found deployed in some Ukrainian organizations a day before the Russian invasion on February 24, 2022. This malware was given the name “HermeticWiper” based on a stolen digital certificate from a company called Hermetica Digital Ltd. The malware was compiled on December 28, 2021 as seen on its file properties.
Based on the reported incidents, this malware was deployed through the default domain policy (GPO). Some incidents also reported that it was employed using impacket’s wmiexec.py or using a custom worm known as HermeticWizard.
In any case, it is believed that the threat actors have access to the network before deploying this malware.
HermeticWiper is a Windows executable with embedded binaries in its resource section. These are legitimate drivers from the EaseUS Partition Master software.
Hashes of the extracted drivers:
- DRV_X64 : 0E84AFF18D42FC691CB1104018F44403C325AD21
- DRV_X86 : 379FF9236F0F72963920232F4A0782911A6BD7F7
- DRV_XP_X64 : 87BD9404A68035F8D70804A5159A37D1EB0A3568
- DRV_XP_X86 : B33DD3EE12F9E6C150C964EA21147BF6B7F7AFA
Before installing these drivers, it adjusts its privileges, “SeShutdownPrivilege” and “SeBackupPrivilege” which allow the malware to reboot the system and manipulate system backups.
It extracts the driver from its resource and installs it as a service. It drops the .sys file with a random 4 letter name, i.e., jldr.sys.
It also disables the crash dump which contains a snapshot of the system at the time of the crash.
It disables the Volume Shadow Copies to prevent backups
It overwrites the master boot record (MBR) and the master file table (MFT) with random bytes, which is the true destructive function and makes the system unbootable.
It also overwrites $Bitmap and $Logfile and files inside C:\Documents and Settings. $Bitmap contains information about free and occupied clusters and $Logfile contains a log of transactions that happened in the filesystem.
Finally, it initiates the shutdown to reboot the system. Since the MBR was overwritten, the system will not boot.
Some systems would crash even before reaching the shutdown process. In one of our tests, the system crashed after running the wiper malware for several minutes.
Indicators of Compromise