Threat Alert

by IthacaLabs™

THREAT LEVEL/High 25/02/2022

New Wiper Malware Targeting Ukraine Amid Russia’s Military Operation

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new data wiper malware, accompanied by a distribution of a ransomware strain against hundreds of machines in Ukraine, allegedly launched by Russian forces, has been identified.

The data wiping malware, named “HermeticWiper” (aka KillDisk.NCV) can disrupt the functionality of important information resources and services, causing also reputational damage.

The wiper malware takes advantage of a compromised host’s high privileges to make it ‘unbootable’ by overwriting boot records and configurations, erasing device configurations, and deleting shadow copies.

The “HermeticWiper” is dropping a driver to do a low-level partition manipulation. This driver appears to be a legitimate EaseUS Partition Master driver. Then it proceeds to impair the first 512 bytes, the Master Boot Record (MBR), for every physical drive, before initiating a system shutdown and effectively rendering the target inoperable.

Furthermore, it was observed that ransomware attacks were also used to target impacted organizations at the same time as the wiper. The ransomware was most likely utilized as a ruse or distraction from the wiper operations. Thus, the “HermeticWiper” is configured to not encrypt domain controllers in order to keep the domain running and allow the ransomware attacks to use valid credentials to authenticate to servers and encrypt them. This highlights that the threat actors use compromised identities to access the network and/or move laterally.

As the attacks continue to unfold both on the physical and digital realms, there is a high likelihood of further cyber-attacks against Ukraine and other countries in the region. IthacaLabs team will continue to actively monitor the situation and deliver updates if new information becomes available.

CVE(s)

N/A

Affected Systems

  • N/A

Recommendation(s)

The “HermeticWiper” requires the compromise of identities and the abuse of privileged credentials, Thus, the risk mitigation efforts should focus on endpoint privileged access controls. ClearSkies™ Endpoint Detection and Response (EDR) provides protection against this type of malware and attacks.

Further guidelines below will help you protect against Ransomware and its associated security threats:
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* Consider enabling the “Show hidden file-extensions”. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “.scr”, “.bat” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Do not open e-mail from unknown sources. Be suspicious of emails purporting to be from financial institution, government department, or other agency requesting account information, account verification or banking access credentials sush as usernames, passwords, PIN codes, and similar information. Opening file attachments od clicking on web links in suspicious emails could expose your system to malicious code that could hijack your computer.
* Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Call the purported source if you are unsure who sent an email.
* If an email claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
* Keep your antivirus up to date and use real time protection.
* It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

Finally, in case that a system is compromised, it should be immediately removed from the network.

Below you can find indicators of a compromised systems along with the known signatures of the malware:

IOC – Indicators of Compromise:

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 – Trojan.Killdisk
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da – Trojan.Killdisk
a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e – Trojan.Killdisk
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 – Ransomware

Known Signatures:

  • Trojan.Killdisk
  • Trojan.Gen.2
  • Trojan Horse
  • Ws.Malware.2

References

Get the latest Threat Alerts in your inbox.