S0698 HermeticWizard

HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.¹

Item	Value
ID	S0698
Associated Names
Type	MALWARE
Version	1.0
Created	25 March 2022
Last Modified	11 April 2022
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1110	Brute Force	-
enterprise	T1110.001	Password Guessing	HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.003	Windows Command Shell	HermeticWizard can use `cmd.exe` for execution on compromised hosts.¹
enterprise	T1070	Indicator Removal	-
enterprise	T1070.001	Clear Windows Event Logs	HermeticWizard has the ability to use `wevtutil cl system` to clear event logs.¹
enterprise	T1559	Inter-Process Communication	-
enterprise	T1559.001	Component Object Model	HermeticWizard can execute files on remote machines using DCOM.¹
enterprise	T1570	Lateral Tool Transfer	HermeticWizard can copy files to other machines on a compromised network.¹
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Name or Location	HermeticWizard has been named `exec_32.dll` to mimic a legitimate MS Outlook .dll.¹
enterprise	T1106	Native API	HermeticWizard can connect to remote shares using `WNetAddConnection2W`.¹
enterprise	T1046	Network Service Discovery	HermeticWizard has the ability to scan ports on a compromised network.¹
enterprise	T1027	Obfuscated Files or Information	HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.¹
enterprise	T1021	Remote Services	-
enterprise	T1021.002	SMB/Windows Admin Shares	HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.¹
enterprise	T1018	Remote System Discovery	HermeticWizard can find machines on the local network by gathering known local IP addresses through `DNSGetCacheDataTable`, `GetIpNetTable`,`WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY)`,`NetServerEnum`,`GetTcpTable`, and `GetAdaptersAddresses.`¹
enterprise	T1553	Subvert Trust Controls	-
enterprise	T1553.002	Code Signing	HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.¹
enterprise	T1218	System Binary Proxy Execution	-
enterprise	T1218.010	Regsvr32	HermeticWizard has used `regsvr32.exe /s /i` to execute malicious payloads.¹
enterprise	T1218.011	Rundll32	HermeticWizard has the ability to create a new process using `rundll32`.¹
enterprise	T1569	System Services	-
enterprise	T1569.002	Service Execution	HermeticWizard can use `OpenRemoteServiceManager` to create a service.¹
enterprise	T1047	Windows Management Instrumentation	HermeticWizard can use WMI to create a new process on a remote machine via `C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll`.¹

References

ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩