Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

HermeticWiper

HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)
ID: S0697
Associated Software: Trojan.Killdisk DriveSlayer
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 25 Mar 2022
Last Modified: 11 Apr 2024

Associated Software Descriptions

Name Description
Trojan.Killdisk (Citation: CISA AA22-057A Destructive Malware February 2022)(Citation: Symantec Ukraine Wipers February 2022)
DriveSlayer (Citation: Crowdstrike PartyTicket March 2022)(Citation: Crowdstrike DriveSlayer February 2022)

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

HermeticWiper can use `cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1` to deploy on an infected system.(Citation: ESET Hermetic Wizard March 2022)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

HermeticWiper can load drivers by creating a new service using the `CreateServiceW` API.(Citation: Crowdstrike DriveSlayer February 2022)

Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: SentinelOne Hermetic Wiper February 2022)

.002 Disk Wipe: Disk Structure Wipe

HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)

Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

HermeticWiper has the ability to deploy through an infected system's default domain policy.(Citation: ESET Hermetic Wizard March 2022)

Enterprise T1562 .006 Impair Defenses: Indicator Blocking

HermeticWiper has the ability to set the `HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled` Registry key to `0` in order to disable crash dumps.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

HermeticWiper can overwrite the `C:\Windows\System32\winevt\Logs` file on a targeted system.(Citation: ESET Hermetic Wizard March 2022)

.004 Indicator Removal: File Deletion

HermeticWiper has the ability to overwrite its own file with random bites.(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

HermeticWiper has used the name `postgressql.exe` to mask a malicious payload.(Citation: ESET Hermetic Wizard March 2022)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

HermeticWiper has the ability to use scheduled tasks for execution.(Citation: Symantec Ukraine Wipers February 2022)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)

Enterprise T1569 .002 System Services: Service Execution

HermeticWiper can create system services to aid in executing the payload.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.(Citation: Crowdstrike DriveSlayer February 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.