HermeticWiper Malware Detection: CISA and FBI Advisory Warns of New Destructive Cyber-Attacks Targeting Ukrainian Organizations

Alla Yurchenko
Latest posts by Alla Yurchenko (see all)
WRITTEN BY
Alla Yurchenko
[post-views]
March 02, 2022 · 3 min read
HermeticWiper Detection

On January 13, 2022, a devastating cyber-attack hit Ukraine, taking down online assets of the country’s government, in which attackers took advantage of a new data-wiping malware known as WhisperGate. Hard on the heels of this impactful incident, on February 23, cybersecurity analysts revealed another destructive malware targeting Ukrainian organizations dubbed HermeticWiper. This newly discovered wiper malware compromises Windows devices by controlling the master boot record, which leads to successive boot failures. 

HermeticWiper Malware Detection and Mitigation

To detect the malicious malware activity associated with HermeticWiper and timely protect the organization’s infrastructure, security professionals can download the most recent Sigma-based detections developed with the help of SOC Prime’s crowdsourcing initiative, Threat Bounty Program, including its seasoned developers, Emir Erdoan and Antonio Farina. All dedicated detection content is available for download in the SOC Prime’s Detection as Code platform:

Disabling CrashDumps via the registry (HermeticWiper)

This detection has translations for the following SIEM, EDR and XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Microsoft Defender for Endpoint, Securonix, Apache Kafka ksqlDB, Carbon Black, Qualys.

The Sigma rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Impair Defenses (T1562) as the primary technique and Disable or Modify Tools (T1562.001) sub-technique. 

Detects possible HermeticWiper by specific Driver installation

This Sigma rule has translations for the following SIEM, EDR and XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, LogPoint, Graylog, Regex Grep, RSA NetWitness, Chronicle Security, Apache Kafka ksqlDB.

On February 26, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory warning organizations of the malicious activity associated with WhisperGate and HermeticWiper. The advisory provides recommendations and guidance on how to protect company infrastructure against the potential exploits by these infamous data-wiping malware strains. HermeticWiper mitigation involves the following steps aimed to boost cybersecurity resilience across organizations:

  1. Continuous monitoring and regular scanning via antivirus and antimalware programs
  2. Leveraging spam filter software to prevent spear-phishing emails
  3. Applying network traffic filtering 
  4. Running scheduled software updates 
  5. Enabling multi-factor authentication

HermeticWiper Analysis

The malware, dubbed HermeticWiper, springs from a company name that released a HermeticWiper digital signature for the sample. Researchers assume hackers leveraged a shell or a non-operative company to issue the certificate.

In the process of deployment of HermeticWiper, it mimics a tailor-made, limited functionality software. The sample is 114KB, with resources accounting for around 70% of the load. The adversaries are employing a time-tested wiper malware approach that exploits a benign partition driver to run the most harmful elements of their operations. Several hacker gangs are known to have abused EldoS RawDisk for direct userland access to the files, surpassing Windows APIs. When the malware is executed, it activates SeBackupPrivilege, granting the attackers read access to files. HermeticWiper later adds SeLoadDriverPrivilege, which allows it to load and unload device drivers, as well as SEShutdownPrivilege, enabling it to kill the breached system. Once shut down, it is not possible to operate the booting process. Additional functionality beyond the malware’s wiper capabilities hasn’t been identified yet.

Join SOC Prime’s Detection as Code platform to boost your threat detection capabilities with the power of global cybersecurity expertise. Looking for ways to contribute your own detection content and drive collaborative cyber defense? Join SOC Prime’s crowdsourcing initiative to submit your own Sigma and YARA rules, get them published to the platform, contribute to a safer cyberspace and receive recurring rewards for your contribution!

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.
Join for Free Book a Meeting

Related Posts

UAC-0133 (Sandworm) Reemerges
Blog, Latest Threats — 5 min read
UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine
Veronika Telychko
UAC-0149
Blog, Latest Threats — 3 min read
UAC-0149 Attacks Ukrainian Defense Forces Using Signal, CVE-2023-38831 Exploits, and COOKBOX Malware
Daryna Olyniychuk
Akira Ransomware Detection
Blog, Latest Threats — 4 min read
Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia
Veronika Telychko