Hermetic Wiper & resurgence of targeted attacks on Ukraine

Summary

Since Jan 2022, ThreatLabz has observed a resurgence in targeted attack activity against Ukraine. We identified two attack-chains in the timeframe - Jan to Feb 2022, which we attribute to the same threat actor with a moderate confidence level. It is important to note that we are not attributing the attacks to any nation-state backed threat actors at this point, since we don’t have full visibility into the final payloads and the motives of the attack. The C2 infrastructure re-use points to Gamaredon APT threat actor, however more visibility is needed for proper attribution.

The first attack-chain was blogged by the CERT team of Ukraine on 1st Feb 2022 here . It involved spear phishing emails sent to the “State Administration of Seaports of Ukraine”. The samples corresponding to the next-stage document template and the VBScript payload were not available in public domain. We were able to identify the document template and VBScript payload, and we aim to share the technical analysis in this blog.

On 11th Feb 2022, we identified a sample uploaded to VirusTotal from Ukraine which resulted in our discovery of a previously undocumented attack-chain. We describe the technical details of this second attack-chain in the blog. By pivoting on the metadata of the files, we were able to discover 7 unique samples and the origins of campaign tracing back to Nov 2020.

On 23rd Feb 2022, there were reports of a new sophisticated wiper malware hitting several organizations in the Ukraine with an objective of destroying data and causing business disruption. Threatlabz team analyzed the malware payload involved and uncovered several new tactics used in these attacks.

In this blog, we will look at the technical details of these recent attacks targeting commercial and public entities in Ukraine.

  1. Hermetic Wiper DoS Attack - Technical Analysis [in-progress]

Timeframe - 23rd Feb 2022 onwards

Hermetic Wiper is a sophisticated malware family that is designed to destroy data and render a system inoperable
The wiper is multi-threaded to maximize speed and utilizes a kernel driver for low-level disk access
These driver files appear to be part an outdated version of the EaseUS Partition Master application developed by CHENGDU YIWO Tech Development

The malware was compiled at 2022-02-23 09:48:53 UTC and was digitally signed with a valid certificate that was issued to Hermetica Digital Ltd. as shown in Figure 1.

Figure 1: Hermetic Wiper’s digital signature

The malware supports two command-line arguments that control the maximum duration to spend destroying data before forcing the system to reboot. The wiper contains 4 resources with the names and hashes shown in Table 1. These files are digitally signed drivers that are used to interact with disks.

		Driver filename
		
		
		Compressed SHA256
		
		
		Decompressed SHA256
		
	
	
		
		DRV_X64
		
		
		e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5
		
		
		96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84
		
	
	
		
		DRV_X86
		
		
		b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1
		
		
		8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b
		
	
	
		
		DRV_XP_X64
		
		
		b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd
		
		
		23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4
		
	
	
		
		DRV_XP_X86
		
		
		fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d
		
		
		2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d

Table 1. Drivers files embedded in Hermetic Wiper

The specific driver that is extracted depends on whether the Windows operating system version is 32-bit or 64-bit and Windows XP or newer. The functions that are used to determine the Windows operating system version are VerSetConditionMask and VerifyVersionInfoW. These functions are rarely seen in comparison to the standard GetVersion functions to identify the Windows version.

After these resources are extracted from the binary, the Windows LZ extraction library functions are used to decompress them. The Windows command-line utility expand.exe can also be used to manually decompress the drivers as shown in Figure 2.

Figure 2: Manual decompression of the Hermetic Wiper drivers using the Windows expand utility.

The certificate for these signed drivers is registered to CHENGDU YIWO Tech Development Co., Ltd., but expired on September 11, 2014 as shown in Figure 3.

Figure 3: Expired certificate used to sign the Hermetic Wiper drivers.

These driver files appear to be part of the EaseUS Partition Master application developed by CHENGDU YIWO Tech Development.

The driver file is written to the Windows drivers directory with a filename that includes four alphabetic characters that are pseudorandomly chosen using the current process ID appended with a .sys extension.

Once the correct driver is extracted, Hermetic Wiper Sets the CrashDumpEnabled registry value to zero in the registry key HKLM\SYSTEM\CurrentControlSet\Control\CrashControl to disable crash dumps. This ensures that if the malware crashes, Windows will not produce a crash dump file that can be used to identify the cause.

The driver registers itself as a device named EPMNTDRV to expose itself to the userland component of Hermetic Wiper. The malware enumerates physical disks and attempts to overwrite them with random data, destroying the data, and making the system unusable.

  1. Targeted Attacks

Timeframe - Nov 2021 onwards

During our analysis, we found a C2 infrastructure overlap between the two targeted attack chains seen below in Figure 4 and 5.

Figure 4: Targeted attack chain #1

Figure 5: Targeted attack chain #2

Technical analysis

Attack chain #1

The attack chain #1 infection starts with an email which has a malicious RAR archive attachment. The victim downloads and extracts the RAR archive contents which contains a malicious document file that is themed using the ongoing geo-political conflict between Russia and Ukraine.

[+] Stage 1: Document

The document on execution simply downloads a macro-based template from the specified remote location. Figure 6 below shows the template reference present inside one of the documents.

Figure 6: Relationship referring the macro-based remote template

[+] Stage 2: Macro template (714f8341bd1c4bc1fc38a5407c430a1a)

The macro code inside the template is obfuscated by adding a lot of junk code. This not only inflates the size of macro code but also hinders the code analysis. The main operation it performs is to drop and execute a VBScript.

The VBScript is Base64-encoded inside the VBA macro as shown in Figure X below.

Figure 7: Base64-encoded VBScript inside the VBA macro

[+] Stage 3: VBScript

As per OSINT, this stage-3 VBScript which is dropped by the stage-2 macro is called GammaLoad. The VBScript code is obfuscated similar to the macro code. On execution it performs the following operations:

  1. Collects user and system information for exfiltration

  2. Grabs the IP address associated with the configured C2 domain using WMI

WMI query format:

SELECT * FROM Win32_PingStatus WHERE Address={configured_c2_domain}

  1. Sends a network request to download the next stage payload using the IP address obtained from step #2 and also exfiltrate the information collected from step #1 using the UserAgent field

UserAgent Format:

{hardcoded_useragent_string}::%USERPROFILE%_%SYSTEMDRIVE%.SerialNumber::.{static_string}.

  1. Drops and executes the downloaded payload

Note: At the time of analysis we didn’t get this next stage payload but based on past analysis the threat actor is known to drop some remote desktop application like UltraVNC

Attack Chain #2

We identified another attack-chain used by the same threat actor which is not documented anywhere in the public domain, to the best of our knowledge. Based on our research, this campaign has been active since as early as November 2020 and only 7 unique samples have been identified till date related to this campaign. The most recent instance was observed on 11th Feb 2022 and based on the filename, we believe that it was distributed on 8th Feb 2022 to the targeted victim(s).

This low-volume campaign involves RAR archive files distributed through spear phishing emails. These RAR archive files contain a malicious Windows shortcut file (LNK) which downloads the MSI payload from the attacker-controlled server and executes it on the endpoint using MSIEXEC.

This results in the packaged NSIS binary to be dropped on the system and it starts the infection-chain.

Components of the NSIS binary will be unpacked in the directory: %temp%<random_name>.tmp\ during the course of its execution.

All the extracted components are shown below.

Figure 8: components of the NSIS binary

It loads the DLL from the above directory.

MD5 hash of the DLL: 74ce360565fa23d9730fe0c5227c22e0

Filename of the DLL: ypagjgfyy.dll

The NSIS script which controls the execution of the NSIS installer can be used to analyze the activity. The relevant code sections from the script are included in the Appendix section.

The steps below summarize the activity:

Call the export function: "oqiuqqaxaicm" in the DLL file - ypagjgfyy.dll and pass it two parameters. The first one is the encrypted string and the second one is the decryption key.
The decrypted string is a URL: hxxp://kfctm[.]online/0102adqeczoL2.txt
Call the download_quiet function in nsisdl (downloader component of NSIS installer) to fetch the contents of the URL which was decrypted in step #2.
The response is saved in the file - $PLUGINSDIR\readme.txt
Call the export function: “cfyhayyyu” in the DLL file - ypagjgfyy.dll and pass it three parameters. The first parameter is the file created in step #4 and the other 2 parameters are used to decrypt the contents of the readme.txt file.
At this point, the code can take 2 paths based on whether the readme.txt file was successfully created or not in step #4. If step #4 was successful, then the decrypted contents of the readme.txt file will be used as a decryption key to decrypt other important strings and continue the malicious activities.

At the time of our analysis, since the URL in step #2 did not respond so the readme.txt file was not created. As a result, the code execution continued to call the export function: “euuxijbaha” in the DLL - ypagjgfyy.dll to decrypt the contents of the DAT file - gofygsg.dat packaged inside the NSIS installer. The resulting decrypted content is a DOCX file which is displayed to the victim with MS Office Word application.

Infrastructure overlap and re-use

During our analysis of the targeted attacks, we found that one of the C2 domain - “download.logins[.]online” which was used to host the MSI payload as part of attack-chain #2 was previously attributed to the Gamaredon APT threat actor by Anomali labs. At that time, it was used to host a macro-based template document which overlaps with the attack-chain #1, as we described in this blog.

Zscaler coverage

We have ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as advanced cloud sandbox.

Advanced Threat Protection

Win32.Trojan.KillDisk

Win32.Trojan.HermeticWiper

Advanced Cloud Sandbox

Win32.Trojan.HermeticWiper

Advanced Cloud Sandbox Report

Figure 9 below shows the sandbox detection report for Wiper malware.

Figure 9: Zscaler Cloud Sandbox Report - Hermetic Wiper

Figure 10 below shows the document template (from attack chain #1) detection in the Zscaler sandbox.

Figure 10: Zscaler Cloud Sandbox Report - Targeted Attack document template

Indicators of compromise

Attack Chain 1

[+] Hashes

		MD5
		
		
		Description
		
	
	
		
		9fe8203b06c899d15cb20d2497103dbb
		
		
		RAR archive
		
	
	
		
		178b0739ac2668910277cbf13f6386e8

		fd4de6bb19fac13487ea72d938999fbd
		
		
		Document
		
	
	
		
		714f8341bd1c4bc1fc38a5407c430a1a

		8293816be7f538ec6b37c641e9f9287f
		
		
		Template

[+] C2 Domains

coagula[.]online

deer.dentist.coagula[.]online

declaration.deed.coagula[.]online

surname192.temp.swtest[.]ru

[+] Download URLs

		Component
		
		
		URL
		
	
	
		
		Template
		
		
		http://surname192.temp.swtest[.]ru/prapor/su/ino.gif
		 

		http://surname192.temp.swtest[.]ru/prapor/su/derg.gif
		 

		http://surname192.temp.swtest[.]ru/prapor/su/flagua.gif
		 

		http://surname192.temp.swtest[.]ru/prapor/su/flages.gif
		
	
	
		
		Secondary payload
		
		
		94.158.244[.]27/absolute.ace
		 

		94.158.244[.]27/distant.cdr

[+] Associated IPs

94.158.244[.]27

Attack Chain 2

[+] Hashes

		MD5
		
		
		Description
		
	
	
		
		7c1626fcaf47cdfe8aaed008d4421d8c

		6d40826dc7a9c1f5fc15e9823f30966b

		c2ef9f814fc99670572ee76ba06d24da

		3751b3326f3963794d3835dbf65ac048

		3cfc9972ad7cbd13cac51aade3f2b501

		ba1f2bfe95b219354ddad04b79579346

		56be65fe4d9709c10cae511d53d92d1a
		
		
		RAR archive
		
	
	
		
		5f568c80ab68a4132506f29ede076679

		2b7b4ad2947516e633f5008ace02690d

		bdcb83cc6f54d571a2c102fbbd8083c7

		b25865010562a3863ef892311644b3bb

		bc740d642893e0fe23c75264ca7c2bca

		d5628fe5de110e321110bbc76061702b

		53ee0babcf03b17e02e4317b6a410b93
		
		
		LNK
		
	
	
		
		c3564bde7b49322f2bacdc495146cfbc

		6fa9d3407b70e3928be3ee0a85ddb01c

		e6a9e19e1b019f95bfc5a4e161794a7f

		2cc96a41092e7adf726365bbc5726150

		9f566a164a5c6ae046c24d0e911dc577
		
		
		MSI

[+] C2 domains

kfctm[.]online

my.cloud-file[.]online

my.mondeychamp[.]xyz

files-download.infousa[.]xyz

download.logins[.]online

[+] Download URLs

		Component
		
		
		URL
		
	
	
		
		MSI
		
		
		http://kfctm[.]online/0802adqeczoL7.msi
		 

		http://my.cloud-file[.]online/Microsoft_VieweR_2012.msi
		 

		http://my.mondeychamp[.]xyz/uUi1rV.msi
		 

		http://my.mondeychamp[.]xyz/ReadMe.msi
		 

		http://files-download.infousa[.]xyz/Windows_photo_viewers.msi
		 

		http://files-download.infousa[.]xyz/Windows_photo_viewer.msi
		 

		http://download.logins[.]online/exe/LinK13112020.msi

Appendix I

NSI script

Article Link: Hermetic Wiper & resurgence of targeted attacks on Ukraine | Zscaler