{ "Event": { "analysis": "0", "date": "2022-02-24", "extends_uuid": "56cb2bd3-5525-46bd-a454-ea895a5b4d0d", "info": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine", "publish_timestamp": "1664880606", "published": true, "threat_level_id": "1", "timestamp": "1664880605", "uuid": "b9b6dcfa-0b11-40dc-9bf4-9a36a2c1a046", "Orgc": { "name": "Centre for Cyber security Belgium", "uuid": "5cf66e53-b5f8-43e7-be9a-49880a3b4631" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disk Structure Wipe - T1561.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Signed Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Group Policy Modification - T1484.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#054300", "local": false, "name": "admiralty-scale:source-reliability=\"a\"", "relationship_type": "" }, { "colour": "#0eb100", "local": false, "name": "admiralty-scale:information-credibility=\"1\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645686071", "to_ids": true, "type": "md5", "uuid": "de0bd41d-ffac-4e5a-8ffd-63c0ba4c6979", "value": "231b3385ac17e41c5bb1b1fcb59599c4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645686071", "to_ids": true, "type": "md5", "uuid": "dc288e70-bf4b-46cc-84aa-515e39f3b433", "value": "095a1678021b034903c85dd5acb447ad" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645686071", "to_ids": true, "type": "md5", "uuid": "e499240c-bfd1-4e5b-a70b-244c11d69053", "value": "eb845b7a16ed82bd248e395d9852f467" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645688022", "to_ids": false, "type": "link", "uuid": "194c007c-eb84-4987-ae29-4dca3b02db47", "value": "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/" }, { "category": "Artifacts dropped", "comment": "Effectively disables crash dumps before the abused driver's execution starts", "deleted": false, "disable_correlation": true, "timestamp": "1645688123", "to_ids": false, "type": "regkey|value", "uuid": "8c55aae8-9ee3-4488-93e8-ee3998518fce", "value": "SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled|0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1645688459", "to_ids": true, "type": "filename", "uuid": "85ca7a94-fcfb-4097-affc-0b102ae4dff5", "value": "empntdrv.sys" } ], "Object": [ { "comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1645687145", "uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1645687142", "to_ids": false, "type": "link", "uuid": "df316954-b61d-436a-8804-d2f38a368eeb", "value": "https://www.virustotal.com/gui/file/0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da/detection/f-0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da-1645685791" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1645687145", "to_ids": false, "type": "text", "uuid": "8becd4d8-0f4c-429a-a3d4-9e33ac8f55c5", "value": "8/71" } ] }, { "comment": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77: Enriched via the virustotal module", "deleted": false, "description": "File object describing a file with meta-information", "first_seen": "2022-02-24T06:35:51+00:00", "last_seen": "2022-02-24T06:35:51+00:00", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1645687295", "uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023", "ObjectReference": [ { "comment": "", "object_uuid": "f6a02b6b-91df-4a01-9115-798e59bc7023", "referenced_uuid": "d611f80f-3015-4e5a-ba28-a4219aae2114", "relationship_type": "analysed-with", "timestamp": "1664880605", "uuid": "dcd014f8-ccb2-4885-8563-6f2799ffd2a2" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1645687295", "to_ids": true, "type": "md5", "uuid": "ec4a3df5-9479-4468-a990-a3f97ff69a1b", "value": "84ba0197920fd3e2b7dfa719fee09d2f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1645687295", "to_ids": true, "type": "sha1", "uuid": "27637845-3dbd-4454-ad6c-51b7d05e22e9", "value": "912342f1c840a42f6b74132f8a7c4ffe7d40fb77" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1645687295", "to_ids": true, "type": "sha256", "uuid": "2b89b426-8ae3-483c-8a10-46acc4b9a441", "value": "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da" } ] }, { "comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1645687548", "uuid": "d9a1332e-3511-4417-97c8-f30621513106", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1645687548", "to_ids": false, "type": "link", "uuid": "bafabadb-48ca-48a7-b192-ed30a1ffc57c", "value": "https://www.virustotal.com/gui/file/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591/detection/f-1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591-1645686225" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1645687545", "to_ids": false, "type": "text", "uuid": "fecf0286-1c32-478d-93e3-507253b34c26", "value": "28/71" } ] }, { "comment": "61b25d11392172e587d8da3045812a66c3385451: Enriched via the virustotal module", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1645687557", "uuid": "df7db285-8f67-49a0-a570-360c55604d2c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1645687557", "to_ids": true, "type": "md5", "uuid": "b5d4be4e-d2cf-479b-90bf-6ad348b213dd", "value": "3f4a16b29f2f0532b7ce3e7656799125" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1645687554", "to_ids": true, "type": "sha1", "uuid": "6f40134d-c3f6-45b0-bea8-10bcb3b68b1e", "value": "61b25d11392172e587d8da3045812a66c3385451" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1645687551", "to_ids": true, "type": "sha256", "uuid": "127e284e-9f47-46f6-a14d-118e7e59309a", "value": "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1645687512", "uuid": "6e410e9b-426b-49ce-a8b9-4efdf1656f24", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1645687512", "to_ids": true, "type": "md5", "uuid": "104e8a29-d087-4540-bcaa-ee455e21a157", "value": "a952e288a1ead66490b3275a807f52e5" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "5", "timestamp": "1645688599", "uuid": "c908378a-8f2a-49e1-b592-306424bd139b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1645688599", "to_ids": false, "type": "comment", "uuid": "f596d739-c866-436a-9f94-f0694db7a401", "value": "HermeticWiper - broad hunting rule" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1645688599", "to_ids": false, "type": "text", "uuid": "d47e6fda-a832-4855-8c6f-f2d3dc912138", "value": "disk" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1645688599", "to_ids": true, "type": "yara", "uuid": "87bdab8d-c1f2-4996-86b6-b0c9ef9536eb", "value": "rule MAL_HERMETIC_WIPER {\r\n meta:\r\n desc = \"HermeticWiper - broad hunting rule\"\r\n author = \"Friends @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"02.23.2022\"\r\n hash = \"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\"\r\n strings:\r\n $string1 = \"DRV_XP_X64\" wide ascii nocase\r\n $string2 = \"EPMNTDRV\\\\%u\" wide ascii nocase\r\n $string3 = \"PhysicalDrive%u\" wide ascii nocase\r\n $cert1 = \"Hermetica Digital Ltd\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of them\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1645688599", "to_ids": false, "type": "text", "uuid": "045e7288-a031-4613-bd58-6b839f4fd53a", "value": "MAL_HERMETIC_WIPER" } ] } ], "EventReport": [ { "name": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine", "content": "# HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine\r\n\r\n Juan Andr\u00e9s Guerrero-Saade / February 23, 2022\r\n\r\n## Executive Summary\r\n\r\n * On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations.\r\n * Our analysis shows a signed driver is being used to deploy a wiper that erases Windows devices, after deleting shadow copies and manipulating MBR after rebooting.\r\n * This blog includes the technical details of the wiper, dubbed @[tag](HermeticWiper), and includes IOCs to allow organizations to stay protected from this attack.\r\n * This sample is actively being used against Ukrainian organizations, and this blog will be updated as more information becomes available.\r\n * @[tag](SentinelOne) customers are protected from this threat, no action is needed.\r\n \r\n ## Background\r\n\r\n On February 23rd, our friends at @[tag](Symantec) and @[tag](ESET) research tweeted hashes associated with a wiper attack in Ukraine, including one which is not publicly available as of this writing.\r\n\r\n We started analyzing this new wiper malware, calling it \u2018@[tag](HermeticWiper)\u2019 in reference to the digital certificate used to sign the sample. The digital certificate is issued under the company name \u2018Hermetica Digital Ltd\u2019 and valid as of April 2021. At this time, we haven\u2019t seen any legitimate files signed with this certificate. It\u2019s possible that the attackers used a shell company or appropriated a defunct company to issue this digital certificate.\r\n\r\n @[tag](HermeticWiper) Digital Signature This is an early effort to analyze the first available sample of @[tag](HermeticWiper). We recognize that the situation on the ground in Ukraine is evolving rapidly and hope that we can contribute our small part to the collective analysis effort.\r\n\r\n ## Technical Analysis\r\n\r\n At first glance, @[tag](HermeticWiper) appears to be a custom-written application with very few standard functions. The malware sample is 114KBs in size and roughly 70% of that is composed of resources. The developers are using a tried and tested technique of wiper malware, abusing a benign partition management driver, in order to carry out the more damaging components of their attacks. Both the @[tag](misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\") (Destover) and @[tag](misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT33 - G0064\") (Shamoon) took advantage of Eldos Rawdisk in order to get direct userland access to the filesystem without calling Windows APIs. @[tag](HermeticWiper) uses a similar technique by abusing a different driver, @[attribute](85ca7a94-fcfb-4097-affc-0b102ae4dff5).\r\n\r\n @[tag](HermeticWiper) resources containing EaseUS Partition Manager drivers The copies of the driver are ms-compressed resources. The malware deploys one of these depending on the OS version, bitness, and SysWow64 redirection. \r\n\r\n EaseUS driver resource selection The benign EaseUS driver is abused to do a fair share of the heavy-lifting when it comes to accessing Physical Drives directly as well as getting partition information. This adds to the difficulty of analyzing @[tag](HermeticWiper), as a lot of functionality is deferred to DeviceIoControl calls with specific IOCTLs.\r\n\r\n ## MBR and Partition Corruption\r\n\r\n @[tag](HermeticWiper) enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the \\\\.\\EPMNTDRV\\ device is called for a device number.\r\n\r\n The malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. While that should be enough for the device not to boot again, @[tag](HermeticWiper) proceeds to enumerate the partitions for all possible drives.\r\n\r\n They then differentiate between FAT and NTFS partitions. In the case of a FAT partition, the malware calls the same \u2018bit fiddler\u2019 to corrupt the partition. For NTFS, the @[tag](HermeticWiper) parses the Master File Table before calling this same bit fiddling function again.\r\n\r\n MFT parsing and bit fiddling calls We euphemistically refer to the bit fiddling function in the interest of brevity. Looking through it, we see calls to Windows APIs to acquire a cryptographic context provider and generate random bytes. It\u2019s likely this is being used for an inlined crypto implementation and byte overwriting, but the mechanism isn\u2019t entirely clear at this time. \r\n\r\n Further functionality refers to interesting MFT fields ($bitmap, $logfile) and NTFS streams ($DATA, $I30, $INDEX\\_ALLOCATION). The malware also enumerates common folders (\u2018My Documents\u2019, \u2018Desktop\u2019, \u2018AppData\u2019), makes references to the registry (\u2018ntuser\u2019), and Windows Event Logs (\"\\\\\\\\?\\\\C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\"). Our analysis is ongoing to determine how this functionality is being used, but it is clear that having already corrupted the MBR and partitions for all drives, the victim system should be inoperable by this point of the execution.\r\n\r\n Along the way, @[tag](HermeticWiper)\u2019s more mundane operations provide us with further IOCs to monitor for. These include the momentary creation of the abused driver as well as a system service. It also modifies several registry keys, including setting the SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to **0**, effectively disabling crash dumps before the abused driver\u2019s execution starts. \r\n\r\n Disabling CrashDumps via the registry Finally, the malware waits on sleeping threads before initiating a system shutdown, finalizing the malware\u2019s devastating effect.\r\n\r\n ## Conclusion\r\n\r\n After a week of defacements and increasing DDoS attacks, the proliferation of sabotage operations through wiper malware is an expected and regrettable escalation. At this time, we have a very small sliver of aperture into the attacks in Ukraine and subsequent spillover into neighboring countries and allies. If there\u2019s a silver lining to such a difficult situation, it\u2019s seeing the open collaboration between threat intel research teams, independent researchers, and journalists looking to get the story straight. Our thanks to the researchers at @[tag](Symantec), @[tag](ESET), Stairwell, and RedCanary among others who\u2019ve contributed samples, time, and expertise.\r\n\r\n## Indicators of Compromise\r\n\r\n|HermeticWiper|SHA1|\r\n|--- |--- |\r\n|Win32 EXE|@[attribute](c91e9f47-a3e8-4a6d-8ad7-e190172660a4)|\r\n|Win32 EXE|@[attribute](588cc8e9-356b-4e4f-9a0c-c99e88d6bc62)|\r\n\r\n|ms-compressed|SHA1|\r\n|--- |--- |\r\n|RCDATA_DRV_X64|@[attribute](104e8a29-d087-4540-bcaa-ee455e21a157)|\r\n|RCDATA_DRV_X86|@[attribute](de0bd41d-ffac-4e5a-8ffd-63c0ba4c6979)|\r\n|RCDATA_DRV_XP_X64|@[attribute](dc288e70-bf4b-46cc-84aa-515e39f3b433)|\r\n|RCDATA_DRV_XP_X86|@[attribute](e499240c-bfd1-4e5b-a70b-244c11d69053)|", "id": "93", "event_id": "98258", "timestamp": "1645688536", "uuid": "9f27b900-e658-4a75-854e-4a3e0f2d3899", "deleted": false } ] } }