Analysis of the new HermeticWiper malware
SentinelOne security researchers have started analyzing the new Wiper malware, which is associated with cyber attacks on Ukraine.
Symantec and ESET Research announced the hashes, which, based on the digital certificate, are called “HermeticWiper”. So far, no legitimate files signed with this certificate are known and it is possible that the attackers used a shell company or a no longer existing company to issue this digital certificate.
This investigation is a first attempt to analyze the first available sample of HermeticWiper. The researchers are aware that the situation on the ground in Ukraine is developing rapidly and they hope that they will be able to contribute a small part to the collective analysis efforts.
On February 23, the threat intelligence community began to observe a new wiper malware pattern circulating in Ukrainian organizations. The analysis shows that a signed driver is used to deploy a wiper that deletes Windows devices after deleting shadow copies and manipulating the MBR after rebooting. The blog associated with the analysis contains the technical details of the wiper, as well as IOCs, with which companies can be protected from this attack. This newly discovered malware is being actively used by threat actors against Ukrainian organizations and the blog will be updated as more information becomes available. It is important to mention that SentinelOne’s customers are protected from this threat and there is no need for them to act.
After a week of increasing DDoS attacks, the widespread occurrence of sabotage acts by Wiper malware represents a regrettable but expected escalation. At the moment, only a very small insight is possible as to the extent of the attacks on Ukraine and a possible spread to neighboring countries and allies. Of great importance in this critical situation is the open cooperation between threat research teams, independent researchers and journalists.