HermeticWiper
Associated Software Descriptions |
|
Name | Description |
---|---|
Trojan.Killdisk | (Citation: CISA AA22-057A Destructive Malware February 2022)(Citation: Symantec Ukraine Wipers February 2022) |
DriveSlayer | (Citation: Crowdstrike PartyTicket March 2022)(Citation: Crowdstrike DriveSlayer February 2022) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
HermeticWiper can use `cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1` to deploy on an infected system.(Citation: ESET Hermetic Wizard March 2022) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
HermeticWiper can load drivers by creating a new service using the `CreateServiceW` API.(Citation: Crowdstrike DriveSlayer February 2022) |
Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: SentinelOne Hermetic Wiper February 2022) |
.002 | Disk Wipe: Disk Structure Wipe |
HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
||
Enterprise | T1484 | .001 | Domain or Tenant Policy Modification: Group Policy Modification |
HermeticWiper has the ability to deploy through an infected system's default domain policy.(Citation: ESET Hermetic Wizard March 2022) |
Enterprise | T1562 | .006 | Impair Defenses: Indicator Blocking |
HermeticWiper has the ability to set the `HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled` Registry key to `0` in order to disable crash dumps.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
HermeticWiper can overwrite the `C:\Windows\System32\winevt\Logs` file on a targeted system.(Citation: ESET Hermetic Wizard March 2022) |
.004 | Indicator Removal: File Deletion |
HermeticWiper has the ability to overwrite its own file with random bites.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022) |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
HermeticWiper has used the name `postgressql.exe` to mask a malicious payload.(Citation: ESET Hermetic Wizard March 2022) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
HermeticWiper has the ability to use scheduled tasks for execution.(Citation: Symantec Ukraine Wipers February 2022) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
Enterprise | T1569 | .002 | System Services: Service Execution |
HermeticWiper can create system services to aid in executing the payload.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.(Citation: Crowdstrike DriveSlayer February 2022) |
References
- CISA. (2022, February 26). Destructive Malware Targeting Organizations in Ukraine. Retrieved March 25, 2022.
- Crowdstrike. (2022, March 1). Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities. Retrieved March 1, 2022.
- Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
- ESET. (2022, February 24). HermeticWiper: New data wiping malware hits Ukraine. Retrieved March 25, 2022.
- Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
- Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
- Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
- ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.