S0697 HermeticWiper
HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.56743
| Item | Value |
|---|---|
| ID | S0697 |
| Associated Names | Trojan.Killdisk, DriveSlayer |
| Type | MALWARE |
| Version | 1.0 |
| Created | 25 March 2022 |
| Last Modified | 18 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Trojan.Killdisk | 16 |
| DriveSlayer | 27 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | HermeticWiper can use AdjustTokenPrivileges to grant itself privileges for debugging with SeDebugPrivilege, creating backups with SeBackupPrivilege, loading drivers with SeLoadDriverPrivilege, and shutting down a local system with SeShutdownPrivilege.37 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | HermeticWiper can use cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1 to deploy on an infected system.8 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | HermeticWiper can load drivers by creating a new service using the CreateServiceW API.7 |
| enterprise | T1485 | Data Destruction | HermeticWiper can recursively wipe folders and files in Windows, Program Files, Program Files(x86), PerfLogs, Boot, System, Volume Information, and AppData folders using FSCTL_MOVE_FILE. HermeticWiper can also overwrite symbolic links and big files in My Documents and on the Desktop with random bytes.8 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | HermeticWiper can decompress and copy driver files using LZCopy.7 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.75 |
| enterprise | T1561.002 | Disk Structure Wipe | HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.5673 |
| enterprise | T1484 | Domain Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | HermeticWiper has the ability to deploy through an infected system’s default domain policy.8 |
| enterprise | T1083 | File and Directory Discovery | HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.53 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.006 | Indicator Blocking | HermeticWiper has the ability to set the HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled Registry key to 0 in order to disable crash dumps.573 |
| enterprise | T1070 | Indicator Removal | HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.78 |
| enterprise | T1070.001 | Clear Windows Event Logs | HermeticWiper can overwrite the C:\Windows\System32\winevt\Logs file on a targeted system.8 |
| enterprise | T1070.004 | File Deletion | HermeticWiper has the ability to overwrite its own file with random bites.78 |
| enterprise | T1490 | Inhibit System Recovery | HermeticWiper can disable the VSS service on a compromised host using the service control manager.783 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | HermeticWiper has used the name postgressql.exe to mask a malicious payload.8 |
| enterprise | T1112 | Modify Registry | HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.573 |
| enterprise | T1106 | Native API | HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.5783 |
| enterprise | T1027 | Obfuscated Files or Information | HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.673 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | HermeticWiper has the ability to use scheduled tasks for execution.6 |
| enterprise | T1489 | Service Stop | HermeticWiper has the ability to stop the Volume Shadow Copy service.3 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.6743 |
| enterprise | T1082 | System Information Discovery | HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.5783 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | HermeticWiper can create system services to aid in executing the payload.573 |
| enterprise | T1529 | System Shutdown/Reboot | HermeticWiper can initiate a system shutdown.53 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.7 |
References
-
CISA. (2022, February 26). Destructive Malware Targeting Organizations in Ukraine. Retrieved March 25, 2022. ↩
-
Crowdstrike. (2022, March 1). Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities. Retrieved March 1, 2022. ↩
-
Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ESET. (2022, February 24). HermeticWiper: New data wiping malware hits Ukraine. Retrieved March 25, 2022. ↩↩
-
Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. ↩↩↩↩↩↩↩↩↩↩
-
Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022. ↩↩↩↩↩↩
-
Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. ↩↩↩↩↩↩↩↩↩↩