Attackers dropping HermeticWiper, the wiper malware spread in the Ukraine immediately before Russia’s invasion Wednesday, may have used ransomware as a decoy, according to Broadcom’s Symantec threat researchers.
“In several attacks Symantec has investigated to date, ransomware was also deployed against affected organizations at the same time as the wiper. As with the wiper, scheduled tasks were used to deploy the ransomware,” the company wrote in a blog post Thursday detailing findings on the ransomware over the previous day.
“It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks. This has some similarities to the earlier WhisperGate wiper attacks against Ukraine, where the wiper was disguised as ransomware,” the researchers continued.
The ransomware note detailed by Symantec directs inquiries to two Protonmail email addresses, Filenamees used in the ransomware part of the attack include client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe.
The HermeticWiper malware, which Symantec classifies as “Trojan.Killdisk” was first identified by ESET, which said telemetry tracked the malware to hundreds of machines in Ukraine. While no vendor has definitively linked the attack to Russia, ESET said it believed the attack was related to the conflict in Ukraine.
Symantec said Wednesday that it had seen infections in Latvia and Lithuania.
In a post Thursday morning, SentinelLabs detailed some of the internals of the wiper, including some confounding actions HermeticWiper takes after obliterating systems.
Symantec noted in its Thursday post that the breaches in Ukraine, Latvia and Lithuania may have taken place last year, with evidence a Lithuanian organization was breached as early as Nov. 12 and a Ukrainian organization in late December. ESET reported Wednesday that the binaries it had seen for the malware were compiled in late December, in line with Symantec’s findings.
“The [Ukraine] attackers appear to have gained access to the network on December 23, 2021, via malicious SMB activity against a Microsoft Exchange Server. This was immediately followed by credential theft. A web shell was also installed on January 16, before the wiper was deployed on February 23.”
In Latvia, the attackers appear to have used a Tomcat exploit. In that case, Symantec notes the attackers used Powershell commands to set up a weekly task deploying a “suspicious” postgresql.exe file every Wednesday at 9:30 a.m. The attackers originally set the file to deploy at 11:30.
On Feb. 22, one day before the attacks were first identified, Symantec said the postgresql file executed a series of commands, including accessing websites, downloading a jpeg file and dumping credentials, as well as other PowerShell commands Symantec has not identified.
Five minutes after the commands completed, the wiper launched.
“With an invasion now underway, there remains a high likelihood of further cyberattacks against Ukraine and other countries in the region,” wrote Symantec.