Introduction
Cynet CyOps conducts ongoing threat intelligence gathering and analysis to protect Cynet customers. Given russia’s war against Ukraine and its active cyber warfare dimension, developments, events, publications, and other data sources are being continuously monitored to ensure that Cynet360 can detect and prevent malware variants deployed as part of this cyber warfare.
Cynet detects and prevents the following variants associated with the war:
- HermeticWiper
- HermeticWizard
- HermeticRansom
- IsaacWiper
- WhisperGate
- Gamaredon
- Outsteel
- SaintBot
This article provides examples of malware variants, specifically wipers, deployed by russia during the war, along with the detections triggered by Cynet360 when they are executed.
HermeticWiper
A new form of disk-wiping malware called “HermeticWiper” has been uncovered. This malware is a disk wiper that targets the MBR for corruption, thereby preventing the user from accessing the host.
In this section, the HermeticWiper threat is examined. Its capabilities and execution flow are outlined.
HermeticWiper Overview
HermeticWiper was built to destroy the systems of Ukrainian organizations by corrupting physical disks. Its authors use a 32-bit executable that is digitally signed with a valid signature from a company called “Hermetica Digital Ltd”.
The malware’s name is derived from the Hermetica digital signature combined with the malware’s purpose.
During execution, this wiper also disables Volume Shadow Copy Service to make recovery impossible. It also disables the ability to generate a memory crash dump by using registry keys on Windows machines, with the final goal of corrupting the MBR.
Kill Chain
Hermetic Analysis
In this section, a random sample of HermeticWiper malware is analyzed.
Samples of HermeticWiper are uploaded daily to MalwareBazaar (by abuse.ch):
HermeticWiper is a 32-bit portable executable:
HermeticWiper uses a certificate that is digitally signed by “Hermetica Digital Ltd”.
HermeticWiper uses three functions for “Get Privileges”:
- SeShutDownPrivilege – Capability to shut down the system.
- SeBackupPrivilege – Allows file content retrieval for files whose security descriptor does not grant such access.
- SeLoadDriverPrivilege – Loads or unloads a device driver.
Some of the strings that HermeticWiper leverages during dynamic execution:
The following driver file is installed as a service and is dropped at “C:WindowsSystem32drivers[drivername].sys”
The driver is responsible for deleting the service that was created previously.
HermeticWiper leverages legitimate software to use driver capabilities for various disk functions, such as resizing partitions and deleting them. It drops the driver into system32, where it is executed as a service and eventually deleted.
Just before the MBR corruption process, HermeticWiper disables crash dump generation by using the registry key → “SYSTEMCurrentControlSetControlCrashControl”
Observation of the procmon logs during dynamic execution shows, as expected, that CrashDumpEnabled changed to 0.
Upon dynamic execution, the registry key value for “CrashDumpEnabled” changed to 0x0.
The final phase of HermeticWiper is disk corruption:
Cynet vs. HermeticWiper
The CyOps team works around the clock to enhance detections by implementing IOCs, memory patterns, SSDEEP, and more.
As shown below, a random HermeticWiper sample was executed in the lab.
Note that the environment action is set to alert only so as not to interrupt the execution flow. This allows Cynet to detect every step of the attack.
File Dumped on the Disk – Cynet’s AV/AI engine detects a malicious file that was dumped on the disk.
Attempt to Run – Cynet’s AV/AI engine detects a malicious file that was loaded into memory:
Malicious Binary – Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IOCs, such as IOCs of ransomware, hacking tools, and similar threats:
Malicious Binary – Process Create Malicious File – This alert is triggered when Cynet detects a process that creates a file that is either flagged as malicious in Cynet’s Threat Intelligence database or associated with suspicious patterns, such as being loaded into sensitive directories.
Threat Intelligence Detection – Malicious Binary – Blacklist – This alert is triggered when Cynet detects a file that is flagged as malicious in Cynet’s internal threat intelligence database:
Cynet vs. HermeticRansom
Malicious Binary – Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IOCs, such as IOCs of ransomware, hacking tools, and similar threats:
WhisperGate
WhisperGate masquerades as ransomware by demanding a ransom in exchange for restoring systems. However, it actually wipes the machine’s MBR and alters files, thereby destroying the hard drive completely.
WhisperGate Overview
First seen in the wild on January 13 by Microsoft MSTIC, WhisperGate operators were dubbed DEV-0586. A WhisperGate attack is composed of several stages. Although it behaves as ransomware and demands funds from the victim in exchange for access to files, it cannot reverse the encryption. In fact, no such option exists inside the malware. The ransom note exists only to mask the destructive characteristics of the wiper malware, a class of malware whose purpose is to wipe the hard drive of the computer it infects. This likely reflects the wartime context of russia’s war against Ukraine, while also reducing direct suspicion.
WhisperGate relies on a legitimate platform, Discord, to deliver an additional payload. This can help it evade firewall restrictions and reduce suspicion from SOC analysts reviewing the activity at that moment.
Kill Chain
How initial access is achieved is still unknown. WhisperGate is believed to use a supply chain attack.
The malware behaves as follows:
Stage 1: Wiping the MBR
First, the attacker wipes the MBR. Then, when the system is restarted, the compromised host is presented with the following message:
A few noteworthy points:
- WhisperGate uses a single Bitcoin wallet across all affected users.
- All victims receive the same ransom amount.
- Only TOX (a secure chat service) is available for contact.
- Unlike WhisperGate, most ransomware groups usually provide a free decryption sample.
This strengthens the hypothesis that WhisperGate is only masquerading as ransomware.
Stage 2: Downloading Payload
This stage is intended for loading. By using a predefined URL, with Discord observed in this vector, WhisperGate downloads and loads a VBS script as well as additional payloads: AdvancedRun by NirSoft for privilege escalation along with a second wiper targeting specific file types predefined in the malware.
Stage 3: Script Execution
At this stage, the attacker executes the script while excluding the entire C: drive from Windows Defender detection through the impair defenses technique by using a PowerShell command. The payload can stop Windows Defender and even delete the Windows Defender AV folder from the system.
Stage 4: File Wiping
At the fourth stage, the attacker initiates the wiper. It is predefined to overwrite files for destruction and add a random extension.
The predefined file extensions that the malware will overwrite:
Blockchain Analysis:
The Bitcoin address associated with the malware had no transactions apart from one of approximately five dollars.
The transaction is dated January 14, 2022.
Additional Notes
The MBR payload stub identified during the Stage 1 analysis:
The payload download from Discord in Stage 2:
Similarity to other Ransomware found in the Darknet:
A ransomware sample was detected that appears similar to the activity observed in WhisperGate.
H3llB0rn Ransomware ransom note:
Note the similar use of a Bitcoin address and the lack of contact methods, both of which are uncommon in ransomware activity today.
Cynet vs. WhisperGate
In addition to detecting all stages that were dropped on the disk, Cynet also detects the malicious binary files:
Since WhisperGate alters the MBR by writing its stub to the following –
Cynet’s RAW Disk Write alert is triggered through a dedicated mechanism designed to protect against MBR alteration.
IsaacWiper
IsaacWiper is the third wiper malware identified as targeting Ukrainian organizations.
It behaves similarly to the two previously observed wipers and corrupts the system MBR.
IsaacWiper also fills all disks on the system with random content until no available space remains.
IsaacWiper Overview
IsaacWiper is the “simplest” form of the trio.
While WhisperGate used Discord as a sophisticated C2, and Hermetic used a worm and ransom as separate parts, IsaacWiper remains simple by “just” wiping the MBR and filling hard drives with random data until they are full.
Kill Chain
While the initial vector remains uncertain, IsaacWiper was found on an endpoint where the use of RemCom had been observed: RemCom is a small (10KB UPX-packed) remote shell/telnet replacement that allows processes to be executed on remote Windows systems, files to be copied to remote systems, their output to be processed, and that output to be streamed back.
Cynet vs. IsaacWiper
In addition to detecting all stages that were dropped on the disk, Cynet also detects the malicious binary files:
Conclusion
Wipers are destructive tools with one sole purpose: to inflict damage and destroy their targets without a recovery option.
These attacks, which emerged during Russia’s war against Ukraine through an unknown threat actor, are believed to be related to nation-state threats.
Further observations related to this malware activity are likely to appear soon, especially as the war continues to intensify.
As demonstrated above, Cynet detection and prevention mechanisms actively detect and mitigate the many wipers introduced during this war.
In addition, the Cynet Research group works around the clock to deploy new rules and policies to stay ahead of these attacks.
