Welcome to the first of many Threat SnapShots — a short, technical deep-dive into a specific cyber threat brought to you by the SnapAttack research team. Threat SnapShots are weekly series covering topics ranging from the new and emerging threats to novel detections for known and widely-used tradecraft.
Earlier this week, President Biden released a statement urging US-based organizations, both public and private sector, to be prepared for Russian cyberattacks due to “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
In light of this, we’ll be taking a look at HermeticWiper, one of many destructive malware that Russia has been observed using targeting organizations in Ukraine.
HermeticWiper’s name comes from the certificate used to sign the malware, a stolen digital certificate issued to Hermetica Digital, Ltd. Unlike ransomware, whose primary goal is to extract money from a victim organization, the goal of this malware is to destroy operating systems and make the data unrecoverable.
Initial Access and Lateral Movement
The best opportunity to stop ransomware and destructive malware is earlier in the killchain. The destructive activity is often the last step in the attack — after the adversary has gained an initial foothold, performed reconnaissance, escalated privileges, moved laterally, and identified a method for mass deployment. Because HermeticWiper renders the machine unbootable and corrupts data, little is known to the initial access vectors or many other steps in the killchain.
There have been a few observed methods of lateral movement and deployment, including taking control over an Active Directory server and deploying the wiper through a Group Policy Object (GPO), the use of Impacket’s wmiexec.py, and a worm called HermeticWizard to spread the wiper via Server Message Block (SMB) and Windows Management Instrumentation (WMI). HermeticWiper needs to be run as an Administrator, and it does not contain any User Account Control (UAC) bypass techniques, so privileged access is obtained before the malware is executed.
HermeticWiper Execution
As previously stated, the goal of HermeticWiper is to render the operating system and underlying data unrecoverable. The malware disables crash dumps and the volume shadow copy service early in the execution flow. Crash dumps suggest that the malware authors believe there is some instability in their code or a potential to crash the operating system, so by disabling crash dumps they reduce the chance of being discovered through debug information included in the dump. Deleting volume shadow copies is commonly done by ransomware to destroy system backups, and for HermeticWiper disabling the service also stops new recoveries from being created.
To begin the destructive phase, the malware installs legitimate drivers from the EaseUS Partition Master software. The malware includes 4 driver versions based on the operating system (Windows XP or above) and architecture (32 or 64-bit). The driver is installed with a randomized, 4-character long name and loaded into memory. The driver is then deleted from the system, but can still be accessed via memory until the system is rebooted.
Unlike the IsaacWiper sample that only uses raw disk access API calls, most of HermeticWiper’s disk interactions are made through the driver which will not likely be hooked or logged by EDRs and other endpoint tools, making detection efforts more difficult.
The malware corrupts the first 512 bytes of each partition — the master boot record — to prevent the system from booting. It also fragments files on disk and overwrites contest with random bytes to inhibit file recovery. At the end of the run, if the executable filename starts with c, the system will reboot. Sometimes malware authors will use techniques like this to avoid detection in a sandbox, or eliminate the need to pass command line arguments. The only noteworthy thing about this sample is that it only affects whether or not the system will reboot at the end of its execution.
Prevention and Detection Strategies
We are releasing 4 recorded attack sessions and 13 detection analytics around HermeticWiper and other Russian threats used against Ukraine in the community edition of our platform. We will continue to provide free updates to the community as more threats are discovered.
For ransomware and destructive malware, the best case scenario is to stop them earlier in the kill chain. We have security content around reconnaissance, lateral movement, and privilege escalation techniques that would have been seen prior to the malware being deployed. There are also valid behavioral detection strategies for HermeticWiper — such as disabling the volume shadow copy service, disabling crash dumps, installing drivers, and raw disk access.
MITRE ATT&CK Techniques
T1078.002 — Valid Accounts: Domain Accounts
T1484.001 — Domain Policy Modification: Group Policy Modification
T1047 — Windows Management Instrumentation
T1021.002 — Remote Services: SMB/Windows Admin Shares
T1006 — Direct Volume Access
T1490 — Inhibit System Recovery
T1561 — Disk Wipe
References and Further Reading:
https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
Thanks to Fred Frey.
