HermeticWiper malware used against Ukraine
Data-wiping malware dubbed HermeticWiper has impacted hundreds of machines and networks geolocated in Ukraine. It is malware used not just to infect machines but also to destroy them.
Become a certified reverse engineer!
HermeticWiper has been active since Feb. 23, 2022, and has impacted machines and Ukraine networks. The name attributed to this malware, "HermeticWiper," is based on a stolen digital certificate stolen from a company called Hermetica Digital Ltd. With a lot of features introduced by its authors, HermeticWiper can bypass Windows security features and gain write permissions to many low-level data structures on disk. One of the destructive procedures implemented by its developers is the capacity to re-write fragments on the disc to make the recovery process impossible. [CLICK IMAGES TO ENLARGE]
Figure 1: Tweet by ESET reporting the malicious IoCs related to the HermeticWiper (source).
This malware tries to bypass some security features by using a legitimate certificate by Hermetica Digital Ltd. The name of the malware is directly related to this finding.
Figure 2: Code signing certificate by Hermetica Digital Ltd used by HermeticWipe malware.
Digging into the details
HermeticWiper is a simple PE File with only 114 KBs in size but four binaries on the RCDATA section. Observing the files' names (x86 e x64) will be extracted and executed according to the target machine architecture. The files are decoded in runtime by using the LZMA algorithm.
Figure 3: Aditional binaries present in the RCDATA section.
In detail, the four files are drivers that will be installed on the target machine and found and reported by ESET on Twitter.
Figure 4: Drivers dropped by HermeticWiper and addressed by ESET on Twitter.
According to the Sentinel Labs analysis, "the benign EaseUS driver is abused to do a fair share of the heavy-lifting when it comes to accessing Physical Drives directly and getting partition information. This adds to the difficulty of analyzing HermeticWiper, as a lot of functionality is deferred to DeviceIoControl calls with specific IOCTLs".
Before installing and dropping the drive on the disk, the crash dumps are disabled.
Figure 5: Drivers dropped, and crash dumps disabled (source).
After this point, the driver is added to the system service, initiating the infection data-wiping process.
Features of HermeticWiper
Several features are activated during the malware execution, as some do not follow a logical structure. The process is the following:
- Disabling shadow copies — to make data recovery impossible
- Performing data fragmentation — to damage all the data and difficult the file carving process
- Corrupting Master Boot Record (MBR)
- Executing data collection approach by scanning NTFS directories
- Executing last stage: data overwriting
At first glance, this malware has one purpose: damaging all the data.
The next image shows the status of the disk data fragmentation before and after the malware execution.
Figure 6: Disk before the malware execution (source).
Figure 7: Disk after the malware execution — all the data was overwritten (source).
After the malware executes, the data is overwritten, making hard data recovery via forensics and file carving techniques. Even system DLLs are corrupted, causing the system to no longer start.
Figure 8: System DLLs damaged during the malware executing and "Missing operating system" after rebooting the system (sources).
Become a certified reverse engineer!
The malware wiping data in Ukraine
HermeticWiper is seen as a critical and dangerous malware as its only intent is to damage data and make it impossible to recover. It takes advantage of a code signing certificate to bypass its detection, and its attack scope is theWindows ring 0 (kernel space).
The malware initially fragments the files and overwrites those blocks to difficult the forensics process. According to security experts, "even without the last step (indiscriminate disk trashing), the combination of fragmentation and wiping of required structures (like $MFT) would be enough to make a recovery almost impossible."
In a publication by US-CERT here, some recommendations and measures can be taken to mitigate the impact of threats of this nature.
Sources:
- Hermetic-Wiper Ukraine under attack, SentinelOne
- Hermetic-Wiper analysis, MalwareBytes
- Hermetic-Wiper Alert, US-CERT
- Data-wiping malware hits Ukraine, Welivesecurity
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- HermeticWiper malware used against Ukraine
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis