March 29, 2023

Several organizations in Ukraine have been hit by a cyberattack that involved new data-wiping malware dubbed HermeticWiper and impacted hundreds of computers on their networks, ESET Research has found. The attack came just hours after a series of distributed denial-of-service (DDoS) onslaughts knocked several important websites in the country offline.

Detected by ESET as Win32/KillDisk.NCV, the data wiper was first spotted just before 5 p.m. local time (3 p.m. UTC) on Wednesday. The wiper’s timestamp, meanwhile, shows that it was compiled on December 28th, 2021, suggesting that the attack may have been in the works for some time.

Advertisements

HermeticWiper misused legitimate drivers of popular disk management software. The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data.

The attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd., hence the wiper’s name.

In at least one of the targeted organizations, the attackers have taken control of the Active Directory server and dropped via the default Group Policy Object (GPO).It also appears that at least in one case, the threat actors had access to a victim’s network before unleashing the malware.

Earlier on 23rd Feb 2022, several Ukrainian websites were knocked offline in a fresh wave of DDoS attacks that have been targeting the country for weeks now.

In the middle of January 2022, another data wiper swept through Ukraine. Called WhisperGate, the wiper masqueraded as ransomware and brought some echoes of the NotPetya attack that hit Ukraine in June 2017 before causing havoc around the world.

Advertisements

Indicators of Compromise (IOCs)

FILE SYSTEM:

%WINDIR%\system32\driver\<random_2chars>dr

REGISTRY:

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl

CrashDumpEnabled = 0

HKEY_USERS\<ID>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

ShowCompColor = 0

ShowInfoTip = 0

HKLM\SYSTEM\CurrentControlSet\services\<random_2chars>dr

SERVICE:

service name: <random_2chars>dr

FILE HASH :

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

Tags:

1 thought on “HermeticWiper ! Precedes Ukraine DDoS Attack

  1. Pingback: Party Ticket Ransomware Unearthed - TheCyberThrone

Leave a Reply

You may have missed

Apple Backports ZeroDay Patches for older devices

Apple Backports ZeroDay Patches for older devices

March 28, 2023
Apache Fineract Vulnerabilities

Apache Fineract Vulnerabilities

March 28, 2023
IceID Malware Shifting Focus to Ransomwares

IceID Malware Shifting Focus to Ransomwares

March 28, 2023
Sun Pharma suffers a Security Incident

Sun Pharma suffers a Security Incident

March 28, 2023
Twitter Source Code Leak on Git

Twitter Source Code Leak on Git

March 27, 2023
Okta Credentials Exposed via Post Exploitation Attack

Okta Credentials Exposed via Post Exploitation Attack

March 27, 2023
%d bloggers like this: