What is HermeticWiper? The destructive malware targeting Ukraine
I’ve been closely following coverage and intelligence related to the Russian invasion of Ukraine nearly round the clock. Things are moving quickly, so some of the following information may change as the situation evolves.
On Wednesday, February 23rd, ESET Research and Symantec warned of a new wiper malware circulating among Ukrainian, Lithuanian, and Latvian organizations in the financial, defense, aviation, and IT services sectors. This malware, named Trojan.KillDisk, has been nicknamed HermeticWiper and it is similar but distinct to WhisperGate, the wiper that was spreading through Ukraine in January this year.
What is it?
This malware corrupts the MBR (Master Boot Record) of each physical drive and every drive partition of a target Windows device. The MBR is vital as it tells the computer how and where data is stored – including where it can find the operating system. If a computer cannot find the operating system files, it will not boot properly. This renders the host inoperable.
The custom-written executable uses a legitimate third-party partition management driver to interact with the file system directly, instead of through Windows. This is a familiar technique previously used by Iranian and North Korean attackers designed to sidestep Windows security features. While those attacks exploited RawDisk, HermeticWiper uses a driver from EaseUS Partition Manager.
Why the name HermeticWiper?
The answer is simple: the malware was signed with an EV security certificate issued to Cypriot video game developer Hermetica Digital Ltd. The firm’s 24-year-old proprietor told Reuters that “he never sought a digital certificate and had no idea one had been issued to his firm.” To explain how Hermetica’s identity came to be associated with the malware, one must examine the process to obtain an EV certificate. ReversingLabs has an excellent article examining the most-likely method by which the certificate was issued: executive impersonation.
This certificate was highly valuable to the attackers; with it, the execution of their malicious program entirely skips the Windows SmartScreen security prompt pictured above. The extensive vetting required for an EV certificate is enough to provide instant trust with the operating system.
How did the attack chain look?
During initial investigations, it appears that the attack chain varied from target to target. Zscaler’s investigation reveals that initial access was gained from a successful spearphishing email campaign. Spearphishing is a type of phishing attack in which the victim is targeted with tailored bait, as opposed to a mass-phishing campaign that is not tailored to victims. You can see one of the chains observed by Zscaler in the following figure.
From the spearphishing email, victims downloaded a RAR archive containing malicious DOCX or LNK file, from which a series of execution tactics were run, resulting in communication between the target host and command and control (C2) infrastructure.
In a different investigation conducted by Symantec on another targeted Ukrainian organization, initial network access was gained through malicious SMB activity against a Microsoft Exchange Server, whereupon the attackers installed a web shell before deploying Trojan.KillDisk.
At a Lithuanian organization, Symantec observed the use of a Tomcat exploit to run PowerShell commands before executing the wiper.
At yet another Ukrainian organization, Symantec noted the use of a known exploit on an unpatched version of Microsoft SQL Server to compromise the target network.
What was the timeframe for this attack?
HermeticWiper was observed for the first time by researchers on February 23rd. ESET Research writes that the compilation timestamp on the malware was December 28th, 2021. Symantec discovered malicious activity on target networks as early as November 2021. These dates indicate that the attack may have been in planning for some time.
The certificate issued to Hermetica Digital Ltd used in this attack was valid as of April 2021. While it is tempting to say that the attack may have been planned since at least that time, I have significant doubts about that theory. Instead, it’s more likely that the certificate was issued to a separate threat actor, perhaps a criminal organization, then sold to the perpetrator of the HermeticWiper attacks.
Who did this?
Given the circumstances – Russia’s invasion of Ukraine mere hours after HermeticWiper was observed – it’s convenient for the casual observer to point fingers at Russian threat actors. Upon deeper consideration, this theory seems to fit. For instance, the disruptions caused by HermeticWiper align with Russian strategic goals. The attack tracks very well to the types of attacks perpetrated by Russia in Estonia in 2007, Georgia in 2008, and in Ukraine from 2014 onwards.
A clue to which group conducted the attack comes from the Zscaler investigation. One of the C2 domains used to host payloads for this attack was previously associated with Gamaredon, otherwise known as Primitive Bear. This group’s motives closely align with those of the Russian government. They have been and are currently targeting Ukrainian organizations. In November 2021, Ukraine announced the association between Gamaredon and the Russian Federal Security Service (FSB).
While these clues are a far cry from definitive proof, they’re certainly convincing. Many are already labelling HermeticWiper as the opening salvo in Moscow’s assault. Surely as the war in Ukraine progresses, attacks in cyberspace will broaden in frequency and scope. I expect more details to come to light.
For IOCs, see the reports from SentinelLabs, Zscaler, and Symantec linked below.
Sources
SentinelLabs, https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
WeLiveSecurity by ESET, https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/
ReversingLabs, https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-certificate-identity-fronts
Zscaler, https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine
CISA, https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
Bleeping Computer, https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/