[MART] - Daily Diary #462 - HermeticWiper Wipes Devices Across Ukraine

CTAS-MAT ctas-mat at appgate.com
Thu Mar 3 23:02:19 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

03/03/2022 - Diary entry #462:

In our Daily Diary #412 we covered Wipers, a very dangerous kind of malware used to erase data or make devices unusable. Wipers are not very common because of their destructive nature. Unlike Ransomware, which generally leaves encrypted files and a working system to demand ransom payments, Wipers break everything and don't leave much room for profiting. They can still be found being deployed in systems after an attack, to erase fingerprints, and when the attacker's goal is to just disrupt systems and operations. This week a new malware, dubbed HermeticWiper, has been disclosed after attacks to the Ukrainian infrastructure and also some of its neighbors countries, like Latvia and Lithuania.

HermeticWiper is a very small malware, under 150KB, which makes it easier to be quickly transferred to new devices. The malware abuses the trusted "EaseUS Partition Master" software (used to create and organize partitions in storage devices) to corrupt partitions and deletes the MBR before rebooting the device, effectively making it unusable. The malware is named after the "Hermetica Digital Ltd" certificate embedded in the analyzed samples, but other samples used different certificates to increase trust in the Operational System.

HermeticWiper does not implement lateral-movement techniques but was found deployed using Active Directory group policies, infecting several machines under the same organization. That means HermeticWiper is probably deployed under targeted human-driven attacks, after another malware, like a botnet or a backdoor, first infected and spread through the network. This malware also requires elevated privileges to execute, meaning that some other privilege escalation or identity compromise attack must be performed before deploying it.

The actors behind HermeticWiper remain unidentified, and it's not clear if those attacks are related to the current Ukraine-Russia conflict.

Kind Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220303/2002f109/attachment.htm>

More information about the MART mailing list