Threat Advisory: Ongoing HermeticWiper Situation. Read More ➞
Threat Advisory: HermeticWiper

Threat Advisory: HermeticWiper

Category: Tool
TLP Level: TLP:WHITE
Severity: Medium

Campaign Active: 2022-02-23
Campaign Identified: 2022-02-23
Campaign Updated: 2022-02-24

Campaign Details:

At 8:00 PM GMT on February 23rd, a data-wiping malware strain named HermeticWiper has been observed affecting devices and organizations in Ukraine, Latvia, and Lithuania. It is believed that HermeticWiper was deployed by a Russian Threat Actor group conducting disruption operations prior to military action, though no attribution has been made yet. The infection of devices outside of Ukraine are believed to be collateral damage or unintended ‘spill-over.’

Detections:

  • Indicators of compromise have been identified for this threat and added to the ReliaQuest Emergency Feed. The below ReliaQuest Detect use-cases and MITRE techniques apply to this threat.
  • Binaries identified as part of the HermeticWiper campaign have been signed by the publisher, “Hermetica Digital Ltd”. No legitimate or additional files have been observed having a signature from this publisher. ReliaQuest has created the Detect use-case “RQ-SC-002674-01 – Hermetica Signed File Detected” to identify the presence of files signed by “Hermetica Digital Ltd” using applicable EDR (Endpoint Detection and Response) logging.
  • Additionally, the malware samples related to HermeticWiper are observed abusing legitimate system drivers from “EaseUS Partition Master”. ReliaQuest has created the Detect use-case “RQ-SH-002675-01 – EaseUS Driver Module Load Detected” to identify when the EaseUS driver is being loaded by an application using applicable EDR logging.

Mitigations:

  • Ensure comprehensive coverage of Anti-Virus/Endpoint Detection and Response tools within your environment to provide as much visibility as possible into exploit/threat activity. Additionally, many ReliaQuest Detect use-cases require endpoint logging/visibility to be pushed to production.
  • Maintain regular backups of all critical systems/information. Maintain offline backups as well to increase resilience.

Sources:

[1] https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/
[2] https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
[3] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia

MITRE Techniques:

Technique ID:
Technique Name:
Data Destruction
Disk Structure Wipe

More Articles

Advisory: HermeticWiper – Increased cyber activities since Russian invasion of Ukraine

Category: Event TLP Level: TLP:WHITE Severity: High Campaign Details: Campaign Active: 2022-02-15 Campaign Identified: 2022-02-15 Campaign Updated: 2022-02-24 Updates: 02/24 12:00 PM GMT Russia has launched an invasion of Ukraine which started with missile and artillery attacks targeting locations near the capital of Kiev and the border city of Kharkiv. Ground troops have since begun […]

Accelerate Detection and Response and Build a Threat Hunting Program with new GreyMatter Capabilities

Today we’re introducing a new set of capabilities in our GreyMatter Open XDR-as-a-Service platform that allow security operations teams to improve detection, threat hunting and ease of management for the platform. These new features address some of the biggest challenges for security programs, most notability that in spite of investments in multiple tools, security operations […]