June 30, 2022

TheCyberThrone

Thinking Security ! Always

IssacWiper Found Attacking Ukraine

A new data wiper malware called IsaacWiper has been identified in Ukrainian government network recently. Multiple cyberattacks are happening in Ukraine and Russia due to the ongoing Russian invasion of Ukraine. 

Slovak cybersecurity firm ESET identified the new malware ‘IsaacWiper‘ and was found in the Ukrainian network on Feb 24th which wasn’t infected by HemeticWiper aka Foxblade malware.

As per ESET, attackers have exploited tools like Impacket and RemCom, remote access software to breach the network, lateral movement and malware distribution. IsaacWiper isn’t identical to HermeticWiper in its code and is found to be less sophisticated. Later on Feb 25th, attackers updated the IsaacWiper with debug logs to wipe the infected system as the primary version wasn’t capable of achieving it.

Advertisements

Considering the escalating tensions between Ukraine and Russia in recent days, the cyberattacks are only expected to rise for either side. The Ukraine has also set up an IT army to be more cyber active against Russia during these unprecedented times. Both IssacWiper and HermaticWiper can continue to affect Ukrainian infrastructure until the root cause of these malware are identified and rectified.

IsaacWiper is found in either a Windows DLL or EXE with no Authenticode signature; it appeared in our telemetry on February 24th, 2022. As mentioned earlier, the oldest PE compilation timestamp we have found is October 19th, 2021, meaning that if its PE compilation timestamp was not tampered with, IsaacWiper might have been used in previous operations months earlier.

For DLL samples, the name in the PE export directory is Cleaner.dll and it has a single export _Start@4.

Its been observed IsaacWiper in %programdata% and C:\Windows\System32 under the following filenames:

  • clean.exe
  • cl.exe
  • cl64.dll
  • cld.dll
  • cll.dll

IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. It then wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator. The generator is seeded using the GetTickCount value.

It then enumerates the logical drives and recursively wipes every file of each disk with random bytes also generated by the ISAAC PRNG. It is interesting to note that it recursively wipes the files in a single thread, meaning that it would take a long time to wipe a large disk.

Advertisements

The logs are stored in C:\ProgramData\log.txt and some of the log messages are:

  • getting drives…
  • start erasing physical drives…
  • start erasing logical drive
  • start erasing system physical drive…
  • system physical drive –– FAILED
  • start erasing system logical drive

Indicators of Compromise

  • AD602039C6F0237D4A997D5640E92CE5E2B3BBA3
  • 736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950
  • E9B96E9B86FAD28D950CA428879168E0894D854F
%d bloggers like this: