A destructive new malware dubbed Hermetic Wiper is being used in cyberattacks in Ukraine and there are fears that there could be spill over into other countries akin to the NotPetya wiper malware attacks in 2017.
According to a recent report by cybersecurity firm ESET, Hermetic Wiper has been used in several attacks in Ukraine starting on February 24, 2022. The malware masquerades as ransomware and victims are told that their files have been encrypted, but there is no mechanism for recovery as the Hermetic Wiper renders systems inoperable by corrupting the master boot record (MBR).
Analysis of the malware has revealed it has worm-like properties and is able to spread across a local network via WMI and SMB. While there is no mechanism for recovery, there is a Go-based data extortion component. The malware is so named due to it having code signing certificate assigned to Hermetic Digital. ESET has not attributed the malware to any specific threat group.
ESET has also found a second wiper malware variant that was used in an attack on a government network in Ukraine which the Slovakian cybersecurity firm has named IsaacWiper . ESEt is still analyzing the malware and it is unclear at this stage if it is linked to Hermetic Wiper. ESET said the malware was detected on a system that had not been infected with Hermetic Wiper.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have issued indicators of compromise (IoCs) to help security teams identify infections, along with IoCs of another Wiper malware that was used in attacks in Ukraine earlier this year – WhisperGate – which similarly used a ransomware decoy. The security advisory also includes best practices for handling destructive malware and strategies that can be adopted to improve resilience to destructive malware attacks.
CISA and the FBI warn that these types of destructive malware have several potential distribution vectors. They are often spread via email and instant messenger services, can be dropped from websites, and can be packaged with legitimate files through peer-2-peer file-sharing networks.
“The [Hermetic Wiper] has the capability to target a large scope of systems and can execute across multiple systems throughout a network. As a result, it is important for organizations to assess their environment for atypical channels for malware delivery and/or propagation throughout their system,” explained CISA and the FBI in the security alert. Organizations should assess enterprise applications that have the capability to interface with and impact multiple hosts, including patch management and asset management systems, antivirus software, remote assistance software, backup servers, centralized file servers, and systems assigned to system and network administrative personnel.