IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine

This post was written with contributions from IBM Security X-Force’s Anne Jobmann, Claire Zaboeva and Richard Emerson.

On February 23, 2022, open-source intelligence sources began reporting detections of a wiper malware — a destructive family of malware designed to permanently destroy data from the target — executing on systems belonging to Ukrainian organizations. IBM Security X-Force obtained a sample of the wiper named HermeticWiper. It uses a benign partition manager driver (a copy of empntdrv.sys) to perform its wiping capabilities corrupting all available physical drives’ Master Boot Record (MBR), partition, and file system (FAT or NTFS).

This is not the first wiper malware targeting Ukrainian organizations X-Force has analyzed. In January 2022, X-Force analyzed the WhisperGate malware and did not identify any code overlaps between WhisperGate and HermeticWiper.

This blog post will detail IBM Security X-Force’s insights into the HermeticWiper malware, technical analysis of the sample, and indicators of compromise (IoC) to help organizations protect themselves from this malware.

Why This Is Important

In January 2022, X-Force analyzed the WhisperGate malware. HermeticWIper is the second newly seen destructive malware family observed in the past two months targeting organizations in Ukraine, and reportedly other countries in Eastern Europe. No code overlaps were identified between WhisperGate and HermeticWiper.

The pace at which these new, destructive malware families are being deployed and discovered is unprecedented, and further highlights the need for organizations to have an active and informed defense strategy that expands beyond signature-based defenses.

As the conflict in the region continues to evolve and given the destructive capabilities of both WhisperGate and HermeticWiper, IBM Security X-Force recommends critical infrastructure organizations within the targeted region fortify defenses. Those organizations should focus on preparation for potential attacks that can destroy or encrypt data or otherwise significantly impact operations.

Analysis Details

This section contains the results of the analysis performed for the submitted samples. Typical analysis includes both behavioral and static analysis.

Behavioral analysis describes the malware behavior observed on a system during execution. Behavioral analysis typically includes actions performed on the system such as files dropped, persistence, details surrounding process execution and any C2 communications. It should be noted that behavioral analysis may not capture all notable malware behavior as certain functions may only be performed by the malware under specific conditions.

Static analysis is a deeper dive into the technical analysis of the malware. Static analysis typically includes further details about the functionality, obfuscation or packing in the sample, encryption used by the malware, configuration information or other notable technical detail.

Behavioral Analysis

Upon execution, HermeticWiper immediately adjusts its process token privileges and enables SeBackupPrivilege. This gives the malware read access control to any file, regardless of whatever is specified in access control list (ACL).

It then checks for the system’s OS version to know which version copy of a benign partition management driver (EaseUS Partition Manager: epmntdrv.sys) it will use. The driver is initially Microsoft compressed (SZDD compression) and embedded in its resource named RCDATA.

For Windows XP:

  • x86 – it uses DRV_XP_X86
  • x64 – it uses DRV_XPX64

For Windows 7 and up:

  • x86 – it uses DRV_X86
  • x64 – it uses DRV_X64

After verifying what version it will use, the SZDD compressed benign partition management driver is then dropped in the following directory as:

%WINDIR%\system32\driver\<random_2chars>dr
Example: C:\Windows\system32\Drivers\vfdr

It then proceeds to decompress it and adds “.sys” as file extension.

Example: C:\Windows\system32\Drivers\vfdr.sys

It then proceeds to adjust its process token privileges again to enable SeLoadDriverPrivilege. This token enables the process of HermeticWiper have the ability to load and unload device drivers.

Next, it disables crash dumps by modifying the following registry key:

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled = 0

Note that crash dumps are memory dumps that contains information why the system stops unexpectedly. With this option disabled, the system will be prevented to create any dumps, thus successfully covering its tracks.

It also disables Volume Shadow Service (vss) if enabled, and disables ShowCompColor and ShowInfoTip in all HKEY_USERS registry:

HKEY_USERS\<ID>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowCompColor = 0
ShowInfoTip = 0

ShowCompColor option displays compressed and encrypted NTFS files in color while ShowInfoTip shows pop-up descriptions for folder and desktop items.

HermeticWiper then proceeds to add and load the created driver as a service using Windows APIs such as OpenSCManagerW(), OpenServiceW(), CreateServiceW() and StartServiceW().

Example:

This creates a service entry in the registry:

HKLM\SYSTEM\CurrentControlSet\services\<random_2chars>dr

Once the benign driver service is started and loaded in the system, it then proceeds to cover its tracks once again by deleting the created driver in %WINDIR%\system32\drivers and deleting the created service in the registry.

HermeticWiper enumerates a range of up to 100 Physical Drives by looping 0-100. It uses the benign partition manager, now loaded in the system, to corrupt all Master Boot Record (MBR) for every Physical Drive present in the system.

But it doesn’t stop there, it also corrupts all the available partition even supporting both FAT and NTFS file system. For NTFS, it also corrupts the Master File Table (MFT) which holds all information about a file to ensure that data will be unrecoverable.

Once all disks are corrupted, the system should result to a crash, but just in case, HermeticWiper also created a fail-safe sleeping thread that triggers a system shutdown to force restart the target system.

Static Analysis

Analysis of the wiper sample revealed it was signed with a digital certificate issued to an organization named ‘Hermetica Digital Ltd’ and was created April 15, 2021.  A digital certificate is a file or cryptographic signature that proves the authenticity of an item such as a file, server, or user.

HermeticWiper contains the following digital certificate:

Indicators of Compromise (IOCs)

Hermeticwiper

FILE SYSTEM:
%WINDIR%\system32\driver\<random_2chars>dr

REGISTRY:

HKLM\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled = 0
HKEY_USERS\<ID>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowCompColor = 0
ShowInfoTip = 0
HKLM\SYSTEM\CurrentControlSet\services\<random_2chars>dr

SERVICE:

service name: <random_2chars>dr

Hermatic Malware Samples

Response

At this time, X-Force recommends organizations implement detections for the file system, registry, and Windows service indicators listed in this report. Additionally, global businesses should seek to establish sound insight into their respective networks, supply chains, third parties, and partnerships that are based in, or serve in-region institutions. It is also advised that organizations open lines of communications between relevant information-sharing entities to ensure the receipt and exchange of actionable indicators.

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help.

US hotline 1-888-241-9812

Global hotline (+001) 312-212-8034

The post IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine appeared first on Security Intelligence.

Article Link: IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine