Malware, Ransomware, Threat Management

HermeticWiper anti-Ukraine malware family expands as unrelated wiper discovered

A branch of Alfa Bank, one of the largest Russian private commercial banks, stands in the city center on Oct. 3, 2019, in Kiev, Ukraine. A wiper deployed against Ukraine this year impacted “hundreds” of potential victims, and spread during the second round of paired DDoS attacks against Ukrainian financial institutions and SMS spam. (Ph...

ESET detailed two additional malware components used in last week's HermeticWiper attacks against Ukraine — including one that made the wiper wormable on a local network — as well as an additional wiper deployed elsewhere in Ukraine at the same time.

HermeticWiper was discovered and named by ESET on Wednesday, just before Russia's kinetic invasion of Ukraine. While Symantec and SentinelLabs have also done considerable research on the wiper, none of the three have formally attributed HermeticWiper to Russia. ESET did say it was likely that the wiper was connected to the invasion. HermeticWiper was the second wiper deployed against Ukraine this year, with ESET telemetry seeing "hundreds" of potential victims, and spread during the second round of paired DDoS attacks against Ukrainian financial institutions and SMS spam.

The new wiper discovered by ESET — the third wiper variant used against Ukraine this year, following HermeticWiper and WhisperGate — has been dubbed IsaacWiper. ESET discovered the malware on Thursday, the day after HermeticWiper, and has not found any links between the two.

"It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper,” said ESET Head of Threat Research Jean-Ian Boutin, in a press release sent to reporters.

The two new Hermetic components profiled by ESET are HermeticRansom, which had been reported on with less detail by Symantec and Avast, and HermeticWizard, a newly discovered program meant to spread HermeticWiper across networks using SMB and WMI.

IsaacWiper, notes ESET, is "way less sophisticated" than HermeticWiper and shows no code similarities. It enumerates each drive, eliminating the first bytes from each physical drive, and then goes through the time-consuming task of recursively deleting each file on the drive. A second version of IsaacWiper deployed on Friday, this time with a logging function.

"This may indicate that the attackers were unable to wipe some of the targeted machines and added log messages to understand what was happening," writes ESET.

The logs appear to confirm ESET's theory. Two consecutive messages in the log were "start erasing system physical drive… / system physical drive –– FAILED".

IsaacWiper has not been attributed to any actor.

HermeticRansom is a Go language ransomware that appears to have been used as a smokescreen for the attack. One system profiled by ESET saw HermeticWiper deployed in one folder, HermeticRansom deployed soon after that, and HermeticWiper deployed in a second folder evenly spaced in under 45 minutes.

Strings in the code, as well as the ransom note, contained references to the Biden presidency. Those strings include "403forBiden/wHiteHousE.primaryElectionProcess" and "403forBiden/wHiteHousE.GoodOffice1". The ransom note begins with an unattributed quote: "'The only thing we learn from new elections is that we learned nothing from the old.'" While the note goes on to say the attackers are only interested in business, the Protonmail email accounts victims are told to contact have election-themed usernames.

HermeticWizard is a DLL developed in C++ that ESET discovered looking for other programs sharing the same digital certificate as the original HermeticWiper malware. Both contained certificates allegedly from the home-business games company Hermetica Digital, though the owner of Hermetica Digital has said the certificates used were applied for and issued fraudulently, not stolen from the company.

HermeticWizard, which exports under "Wizard.dll" contains three resources: HermeticWIper, "exec_32.dll" (which spreads HermeticWizard through WMI) and "romance.dll" (which spreads it through SMB).

HermeticWizard searches the network for other systems through a variety of means. It tests to see if systems are reachable by trying to open TCP connections over ports 20, 21, 22, 80, 135, 137, 139, 443 and 445 in random order. On each reachable system, it attempts to use the WMI and SMB spreader. The SMB spreader is notable in part because it relies on an extremely limited set of hard-coded usernames and passwords, a total of 24 different combinations, which ESET notes is "is unlikely to work in even the most poorly protected networks."

The ESET report contains detection advice for the Hermetic and IsaacWiper malware.

ESET writes in its report that it has not seen any of these attacks outside Ukraine, which is at odds with Symantec's finding of systems infected with HermeticWiper in Latvia and Lithuania. But ESET cautions enterprises in other nations be vigilant.

"Due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities," it writes.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.