On January 13, 2022, a devastating cyber-attack hit Ukraine, taking down online assets of the country’s government, in which attackers took advantage of a new data-wiping malware known as WhisperGate. Hard on the heels of this impactful incident, on February 23, cybersecurity analysts revealed another destructive malware targeting Ukrainian organizations dubbed HermeticWiper. This newly discovered wiper malware compromises Windows devices by controlling the master boot record, which leads to successive boot failures.
To detect the malicious malware activity associated with HermeticWiper and timely protect the organization’s infrastructure, security professionals can download the most recent Sigma-based detections developed with the help of SOC Prime’s crowdsourcing initiative, Threat Bounty Program, including its seasoned developers, Emir Erdoan and Antonio Farina. All dedicated detection content is available for download in the SOC Prime’s Detection as Code platform:
Disabling CrashDumps via the registry (HermeticWiper)
This detection has translations for the following SIEM, EDR and XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender for Endpoint, Securonix, Apache Kafka ksqlDB, Carbon Black, Qualys.
The Sigma rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Impair Defenses (T1562) as the primary technique and Disable or Modify Tools (T1562.001) sub-technique.
Detects possible HermeticWiper by specific Driver installation
This Sigma rule has translations for the following SIEM, EDR and XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Apache Kafka ksqlDB.
On February 26, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning organizations of the malicious activity associated with WhisperGate and HermeticWiper. The advisory provides recommendations and guidance on how to protect company infrastructure against the potential exploits by these infamous data-wiping malware strains. HermeticWiper mitigation involves the following steps aimed to boost cybersecurity resilience across organizations:
The malware, dubbed HermeticWiper, springs from a company name that released a HermeticWiper digital signature for the sample. Researchers assume hackers leveraged a shell or a non-operative company to issue the certificate.
In the process of deployment of HermeticWiper, it mimics a tailor-made, limited functionality software. The sample is 114KB, with resources accounting for around 70% of the load. The adversaries are employing a time-tested wiper malware approach that exploits a benign partition driver to run the most harmful elements of their operations. Several hacker gangs are known to have abused EldoS RawDisk for direct userland access to the files, surpassing Windows APIs. When the malware is executed, it activates SeBackupPrivilege, granting the attackers read access to files. HermeticWiper later adds SeLoadDriverPrivilege, which allows it to load and unload device drivers, as well as SEShutdownPrivilege, enabling it to kill the breached system. Once shut down, it is not possible to operate the booting process. Additional functionality beyond the malware’s wiper capabilities hasn’t been identified yet.
Join SOC Prime’s Detection as Code platform to boost your threat detection capabilities with the power of global cybersecurity expertise. Looking for ways to contribute your own detection content and drive collaborative cyber defense? Join SOC Prime’s crowdsourcing initiative to submit your own Sigma and YARA rules, get them published to the platform, contribute to a safer cyberspace and receive recurring rewards for your contribution!