On February 26, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Advisory together with the Federal Bureau of Investigation. CISA is the nation’s leader in understanding, managing, and reducing the risk to the technical infrastructure that citizens rely on every day.
This advisory provided a summarization of a destructive malware campaign that had been launched, seemingly against organizations and agencies in Ukraine, coupling it with guidance on how such independent entities can detect and protect their networks against them. The advisory itself provides extensive information on both pieces of malware used in this campaign – namely, WhisperGate and HermeticWiper.
Malware, in the first place, is a real threat to an organization’s daily operation, considering the potential impact on critical assets, data, and their availability. And, while CISA has acknowledged that there is no credible threat to the United States itself, all organizations should take the time to assess and shore up their cybersecurity efforts. A few of the actions that can be taken immediately to strengthen one’s cybersecurity standing include updating software, setting anti-virus/malware programs to scan environments more regularly, enabling strong spam filters to stop attempts of phishing attacks, filtering network traffic, and enabling multifactor authentication on all accounts.
The advisory goes on to encourage corporate leaders and executives alike to review the statements, implement commonly accepted strategies, assess and reassess their own network environments for uncommon corridors for malware delivery or propagation throughout such systems, and ensure a prepared contingency plan in the event of an attack, as well as, for the aftermath of one.
CISA goes on to announce their posting of new recommendations, services, and resources for corporate leaders and CEOs on their Shields Up webpage as well as a new Technical Guidance webpage. This new webpage not only lists other malicious cyber campaigns affecting Ukraine but also technical resources from partners to help groups against such threats.
Timeline of Events: WhisperGate and HermeticWiper
On January 13 of this year, the “WhisperGate” wiper actively targeted organizations and groups in Ukraine, including government agencies. In a statement from Microsoft, who first exposed this attack, powering off the targeted device executes the malware.
As this wiper malware was being deployed, several website attacks happened between the 13th and 14th, during the night, as a parallel strategy.
On February 23rd, a campaign of Distributed denial-of-service (DDoS) attacks took place, targeting Ukrainian organizations and agencies. It was at this time, too, that the wider threat intelligence community observed the deployment of a wiper that targeted Windows devices.
On February 24th researchers at Symantec found that a ransomware was being deployed alongside HermeticWiper. The now dubbed “PartyTicket” was decidedly made to be a distraction from the wiper malware, as it is redundant to infect a drive before wiping it. It exhibited poor thread control and was laced with taunts to the U.S. government in the directories and a ransom note.
On February 25th, ransomware actors associated with the Conti malware released several statements regarding their position on the Russian-Ukrainian conflict. It is worth mentioning at this point that the Joint Security Advisory published an advisory listing tactics, techniques, procedures, and Indicators of compromise (IOCs) associated with the ransomware in September of 2021 along with guidance on mitigation steps.
What is HermeticWiper?
On the subject of this HermeticWiper – named after the digital certificate used to sign software – had been extensively analyzed at this point. The certificate was issued by a company named “Hermetica Digital Ltd”, thought to be a defunct or shell company used by the attackers. The wiper itself manipulates the Master Boot Record resulting in a failure in the computer booting up.
At just a glance, the HermeticWiper looks to be a custom application with some standard functions at about 114KBs in size. What this piece of malware does is take advantage of a previously unused partition management driver, EaseUS, to further the attack. EaseUS is a legitimate software application that would be used to image and resize disks, HermeticWiper uses this driver to avoid detection by sending low-level calls through the driver rather than windows system calls. Copies of the driver are ms-compressed resources the malware would use depending on factors like OS version and the like.
HermeticWiper corrupts the partitions by enumerating a range of physical drives multiple times, calling \\.\EPMNTDRV\ device for each drive, corrupting the first 512 bytes of the MBR, then moving on to enumerate through the partitions for all drives. It is at that point that the malware differentiates between FAT AND NTFS types, corrupting the bits of FAT partitions in the same way as the bits of the drives and parsing the Master File Table before messing the bits there. There are other functions that seem to be redundant or otherwise a distraction – these have also been documented along with their IOCs.
The kill chain for attacks with this malware typically starts with a malicious email with a .rar compressed file attached. This file contains a document (either in .docx or .lnk format) which, in turn, either executes a VBscript or downloads and executes the .msi installer.
What is WhisperGate?
It was in early January that WhisperGate was reportedly deployed against Ukrainian organizations. It is said to be deployed by a single threat actor and has three components to it. These components are the malicious bootloader that corrupts local disks, a downloader based on the popular chat app Discord, and a file wiper. The sha256 hash identifiers of both the initial bootloader and the wiper are available at this point.
Bootloader sha256 hash: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 Wiper sha256 hash: 44ffe353e01d6b894dc7ebe686791aa87fc9c7fd88535acc274f61c2cf74f5b8
The wiper itself displays a ransom note when the host boots while it continues to perform destructive operations on the infected host’s drives. The wiping operation includes the following pseudocode:
for i_disk between 0 and total_detected_disk_count do for i_sector between 1 and total_disk_sector_count, i_sector += 199, do overwrite disk i_disk at sector i_sector with hardcoded data done done
Both the bootloader and the wiper aim to irrevocably corrupt the infected hosts’ drives while masquerading as modern ransomware operations, similar to HermeticWiper.
How to Fix HermeticWiper and WhisperGate
Although further attacks are not expected outside of Ukraine, these kinds of attacks are nothing new. It is important to prepare an environment for the possibility of such attacks with these malicious programs regardless. Individuals can rely on many tools to aid in detecting and removing this threat. One such tool is Microsoft Defender Antivirus, which can fix both, as stated by the company on February 28th.
Unlike other kinds of malware, in which their actions are controlled by a threat actor through the wider internet, both HermeticWiper and WhisperGate do not rely on any input. It is safe to say then that there are no network footprints to analyze for detecting this malware, other than the initial downloading of it and their components. It is therefore reasonable to deploy deep packet inspection tools to detect the binary of those files.
Cybersecurity attacks have always been on the rise, but their prevalence has only been exacerbated since the start of the pandemic. The field has already become a new front in warfare, international politics, and an avenue in criminal activity, large and small. Now that more people are spending more time with their devices, the scope of hacker-related problems widens ever more and threats like the remote shutdowns of public works and the leaking/sabotage of sensitive data ever increases. Individuals, as well as enterprises, will be ever more affected by these trends.
Indicators of compromise have also been shared from several reliable sources, along with YARA rules, that would help in the detection of this malware in an environment.
Read more security news and tutorials.