Skip to content

S0697 HermeticWiper

HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.56743

Item Value
ID S0697
Associated Names Trojan.Killdisk, DriveSlayer
Type MALWARE
Version 1.0
Created 25 March 2022
Last Modified 18 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Trojan.Killdisk 16
DriveSlayer 27

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation HermeticWiper can use AdjustTokenPrivileges to grant itself privileges for debugging with SeDebugPrivilege, creating backups with SeBackupPrivilege, loading drivers with SeLoadDriverPrivilege, and shutting down a local system with SeShutdownPrivilege.37
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HermeticWiper can use cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1 to deploy on an infected system.8
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service HermeticWiper can load drivers by creating a new service using the CreateServiceW API.7
enterprise T1485 Data Destruction HermeticWiper can recursively wipe folders and files in Windows, Program Files, Program Files(x86), PerfLogs, Boot, System, Volume Information, and AppData folders using FSCTL_MOVE_FILE. HermeticWiper can also overwrite symbolic links and big files in My Documents and on the Desktop with random bytes.8
enterprise T1140 Deobfuscate/Decode Files or Information HermeticWiper can decompress and copy driver files using LZCopy.7
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.75
enterprise T1561.002 Disk Structure Wipe HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.5673
enterprise T1484 Domain Policy Modification -
enterprise T1484.001 Group Policy Modification HermeticWiper has the ability to deploy through an infected system’s default domain policy.8
enterprise T1083 File and Directory Discovery HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.53
enterprise T1562 Impair Defenses -
enterprise T1562.006 Indicator Blocking HermeticWiper has the ability to set the HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled Registry key to 0 in order to disable crash dumps.573
enterprise T1070 Indicator Removal HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.78
enterprise T1070.001 Clear Windows Event Logs HermeticWiper can overwrite the C:\Windows\System32\winevt\Logs file on a targeted system.8
enterprise T1070.004 File Deletion HermeticWiper has the ability to overwrite its own file with random bites.78
enterprise T1490 Inhibit System Recovery HermeticWiper can disable the VSS service on a compromised host using the service control manager.783
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location HermeticWiper has used the name postgressql.exe to mask a malicious payload.8
enterprise T1112 Modify Registry HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.573
enterprise T1106 Native API HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.5783
enterprise T1027 Obfuscated Files or Information HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.673
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task HermeticWiper has the ability to use scheduled tasks for execution.6
enterprise T1489 Service Stop HermeticWiper has the ability to stop the Volume Shadow Copy service.3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.6743
enterprise T1082 System Information Discovery HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.5783
enterprise T1569 System Services -
enterprise T1569.002 Service Execution HermeticWiper can create system services to aid in executing the payload.573
enterprise T1529 System Shutdown/Reboot HermeticWiper can initiate a system shutdown.53
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.7

References