The Ukrainian Government has been targeted by HermeticWiper, a new ransomware-like data wiper. Its aim is not simply to encrypt the victim’s data, but rather to render a system essentially unusable. In this blog, our Research Team details our analysis of how this aggressive new malware works.
The origin of HermeticWiper seems to be closely connected to the start of the Russia/Ukraine conflict. HermeticWiper is a new ransomware-like data wiper that was deployed beginning February 23, 2022. Based on multiple intelligence reports, the wiper-ware is preceded by exploits that aid in malware deployment or multiple distributed denial-of-service attacks to shut down protective services. Attacks have been observed against hundreds of Ukrainian websites related to the local government. Discovered mere hours before Russian troops rolled into Ukraine, the cyberattack is widely seen as the opening salvo of Moscow’s invasion. As of this writing, HermeticWiper activity has since been found in Latvia and Lithuania.
The primary objective of the HermeticWiper is to destroy the master boot record (MBR) of a system, shredding data and rendering the system unusable.
Portable Executable Details of HermeticWiper
The file that we analyzed has a timestamp of “2021-12-28”. This wiper-ware got its name because the attackers used a code-signing certificate issued to “Hermetica Digital Ltd.” This traces back to a small videogame design business based in Cyprus with no links to Russia that claims it never applied for a digital certificate, pointing to possible identity theft. Operating systems use code-signing as an initial check on software, so it may have been designed to help the rogue program dodge anti-virus protections.
The sample we analyzed presented the following details:
Another quirk that we noticed from most of the HermeticWiper samples was the use of the “gift” icon.
Whether this was a sick joke on the part of the attackers, or merely use of a commonly observed Visual Studio icon – we will never know.
Technical Details of HermeticWiper
HermeticWiper itself is just 115kbs and comes packed with drivers, which are extracted depending on the operating system. These drivers are compressed in “SZDD” format as can be seen here:
As the names suggest, drivers are dropped after meeting the operating system criteria:
- DRV_X64: Windows 7+ 64-bits
- DRV_X86: Windows 7+ 32-bits
- DRV_XP_X64: Windows XP 64-bits
- DRV_XP_X32: Windows XP 32-bits
Interestingly, the sample that we analyzed made use of an expired certificate from the “CHENGDU YIWO Tech Development Co. Ltd.” A basic Google search reveals that this is a professional data recovery and data security company based in Sichuan, China. This certificate appears to be legitimate.
Other researchers have found similar drivers from EaseUS Partition Manager. A search for that company name comes up with more details on the Chengdu YIWO Tech and EaseUS relationship:
This driver does the heavy lifting of causing harm to your system. This is a known technique and has been used a couple of times by well-known Advanced Persistent Threat groups.
DETECTION TIP #1
Watch out for processes executing drivers or dynamic link libraries with expired certificates.
Post execution, HermeticWiper gains the following privileges:
Later in the execution chain, the SeLoadDriverPrivilege is used to load the extracted driver. Then one of the four drivers is dropped, after which the Volume Shadow Copy (VSS) service – which allows backups to be performed – is stopped.
DETECTION TIP #2
- Watch out for processes gaining unnecessary and sensitive privileges like the ones mentioned above.
- Watch out for important Windows service stoppages.
HermeticWiper then changes the CrashDumpEnabled registry key value to 0, under the System\CurrentControlSet\Control\CrashControl registry setting, so that memory dumps are disabled.
DETECTION TIP #3
Watch out for unauthorized processes making registry changes.
After this registry change, ShowCompColor and ShowInfoTip keys are also modified to disable the display of compressed and encrypted NTFS files in color. This setting allows you to see compressed files in a blue color. For example:
Qualys Multi-Vector EDR customers are presented with the following details capturing the behavior.
Then, hard drives on a system are enumerated and for each drive, the \\.\EPMNTDRV\ device is called. Then the driver that was extracted is loaded by creating a new service using the CreateServiceW which rewrites the first 512 bytes of the Master Boot Record (MBR).
The code further suggests that HermeticWiper enumerates the following files and folders…
- C:\Documents and Settings
- System Volume Information
…the following Master File Table metafiles…
- $LogFile: Journal to record metadata transactions.
- $Bitmap: Records allocation status of each cluster in the file system.
…and the following NTFS streams:
- $DATA – Contains file data.
- $I30 – NTFS index attribute
- $INDEX_ALLOCATION: Stream type of a directory.
DETECTION TIP #4
Watch out for processes enumerating multiple locations and data streams.
Post successful execution, HermeticWiper makes use of the InitiateSystemShutdownEx API to shut down the system. Once rebooted, since the MBR has been rewritten, we see a blank screen with the words “Missing operating system.”
HermeticWiper Detection with Qualys Multi-Vector EDR
Out of the box, Qualys Multi-Vector EDR provides detection and prevention capabilities that can help enterprise security teams to find Indicators of Compromise.
HermeticWiper MITRE ATT&CK TID Map
|Privilege Escalation||T1134||Access Token Manipulation||HermeticWiper modifies its security token to grants itself debugging privileges by adding SeDebugPrivilege, creating backups by adding SeBackupPrivilege and load drivers by adding SeLoadDriverPrivilege.|
|Discovery||T1082||System Information Discovery||HermeticWiper enumerates the operating system and its bit-size according to which embedded drivers are dropped|
|Defense Evasion||T1112||Modify Registry||HermeticWiper modifies multiple keys|
|Execution||T1106||Native API||HermeticWiper uses the AdjustTokenPrivileges to give itself the following privileges: SeShutdownPrivilege, SeBackupPrivilege and SeLoadDriverPrivilege.|
|Persistence||T1543.003||Create or Modify System Process: Windows Service||HermeticWiper loads the extracted driver, by creating a new service using the CreateServiceW API.|
|Impact||T1561.002||Disk Wipe: Disk Structure Wipe||HermeticWiper damages the Master Boot Record (MBR) of the infected computer.|
|Impact||T1490||Inhibit System Recovery||HermeticWiper stops the Volume Shadow Copy service.|
|Impact||T1489||Service Stop||HermeticWiper stops the Volume Shadow Copy service.|
|Discovery||T1083||File and Directory Discovery||HermeticWiper enumerates multiple files and folders such as AppData, Desktop, etc.|
|Impact||T1529||System Shutdown/Reboot||HermeticWiper initiates a system shutdown via the InitiateSystemShutdownEx API.|