.text-component ul, .text-component ol {list-style-position: outside;margin-left: 20px;}.text-component li {margin-bottom: 20px;}.divTable{display: table;width: 100%;}.divTableRow {display: table-row;}.divTableHeading {background-color: #EEE;display: table-header-group;}.divTableCell, .divTableHead {border: 1px solid #999999;display: table-cell;padding: 3px 10px;}.divTableHeading {background-color: #EEE;display: table-header-group;font-weight: bold;}.divTableFoot {background-color: #EEE;display: table-footer-group;font-weight: bold;}.divTableBody {display: table-row-group;}

Category: Tool
TLP Level: TLP:WHITE
Severity: Medium

Campaign Active: 2022-02-23
Campaign Identified: 2022-02-23
Campaign Updated: 2022-02-24

Campaign Details:

At 8:00 PM GMT on February 23rd, a data-wiping malware strain named HermeticWiper has been observed affecting devices and organizations in Ukraine, Latvia, and Lithuania. It is believed that HermeticWiper was deployed by a Russian Threat Actor group conducting disruption operations prior to military action, though no attribution has been made yet. The infection of devices outside of Ukraine are believed to be collateral damage or unintended ‘spill-over.’

Detections:

  • Indicators of compromise have been identified for this threat and added to the ReliaQuest Emergency Feed. The below ReliaQuest Detect use-cases and MITRE techniques apply to this threat.
  • Binaries identified as part of the HermeticWiper campaign have been signed by the publisher, “Hermetica Digital Ltd”. No legitimate or additional files have been observed having a signature from this publisher. ReliaQuest has created the Detect use-case “RQ-SC-002674-01 – Hermetica Signed File Detected” to identify the presence of files signed by “Hermetica Digital Ltd” using applicable EDR (Endpoint Detection and Response) logging.
  • Additionally, the malware samples related to HermeticWiper are observed abusing legitimate system drivers from “EaseUS Partition Master”. ReliaQuest has created the Detect use-case “RQ-SH-002675-01 – EaseUS Driver Module Load Detected” to identify when the EaseUS driver is being loaded by an application using applicable EDR logging.

Mitigations:

  • Ensure comprehensive coverage of Anti-Virus/Endpoint Detection and Response tools within your environment to provide as much visibility as possible into exploit/threat activity. Additionally, many ReliaQuest Detect use-cases require endpoint logging/visibility to be pushed to production.
  • Maintain regular backups of all critical systems/information. Maintain offline backups as well to increase resilience.

Sources:

[1] https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/
[2] https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
[3] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia

MITRE Techniques:

Technique ID:
Technique Name:
Data Destruction
Disk Structure Wipe