HermeticWiper malware

Table of Contents

Introduction to the HermeticWiper malware

Attached is a security advisory regarding new findings on the HermeticWiper malware used, which is currently being used increasingly in attacks against Ukrainian companies and institutions.

This is malicious code that was previously unknown in this form and may not yet be recognized across the board by common virus protection solutions. Since the targets of these attacks cannot be reliably defined and the situation can change dramatically within a very short time, we strongly recommend protecting yourself against attacks with the malware in question.

General Information

  • Well-known names of Malware: HermeticWiper, DriveSlayer, Kill-Disk.NCV, NEARMISS,
  • The malware is signed with a valid certificate:
    • Certificate Serial Number: 0C 48 73 28 73 AC 8C CE BA F8 F0 E1 E8 32 9C EC
    • SHA256: 1ae7556dfacd47d9efbe79be974661a5a6d6d923
  • The malware is around 114 KB in size
  • To gain elevated privileges, the malware uses a known Windows driver C:\Windows\System32\empntdrv.sys".
  • The original epmntdrv.sys file belongs to EaseUS Partition Master software from EaseUS
  • The registry subkey SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled is set to the value 0
    • Consequence: Crash dumps are deactivated
    • Indication that the malware is already running
  • A sudden increase in RAM utilization is possible, for example due to the svchost.exe process

recommended action

Preventive measures are particularly important because

  1. the malware only needs a small window of time to cause significant damage to a system
  2. the malware is not yet recognized by all security systems (e.g. EPP, IDS/IPS).


Updates: The installation of existing security updates for operating systems and software is generally recommended in order to keep the attack surface for an initial compromise, which can then be used to spread the malware, as small as possible.

We recommend the antivirus solutions used, Endpoint Protection Systems and other protection systems that can detect signature-based threats with the attached IoCs and detection rules.

Hash values ​​of the malware

The following hash values ​​of the malware are known:

HermeticWiper

SHA1

Win32 EXE

912342f1c840a42f6b74132f8a7c4ffe7d40fb77

Win32 EXE

61b25d11392172e587d8da3045812a66c3385451

The hash values ​​of the deployed drivers (ms-compressed) are shown in the following listing. Since the EaseUS drivers are legitimate, they might generate false positives. However, they can still serve to provide an indication of a possible compromise.

ms-compressed

SHA1

RCDATA_DRV_X64

a952e288a1ead66490b3275a807f52e5

RCDATA_DRV_X86

231b3385ac17e41c5bb1b1fcb59599c4

RCDATA_DRV_XP_X64

095a1678021b034903c85dd5acb447ad

RCDATA_DRV_XP_X86

eb845b7a16ed82bd248e395d9852f467

Is there a security incident?
Trust our certified IT forensic experts in the event of attacks.
Contact us

YARA rule

Yara rules can only detect, they do not prevent execution. However, detection makes it possible to react quickly.

The following Yara rule is used to search for what has already been deployed

NEARMISS on their own systems:

				
					rule MAL_HERMETIC_WIPER {
meta:
desc = "HermeticWiper - broad hunting rule"
author = "Friends @ SentinelLabs"
version = "1.0"
last_modified = "02.23.2022"
hash =
"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
strings:
$string1 = "DRV_XP_X64" wide ascii nocase
$string2 = "EPMNTDRV\\%u" wide ascii nocase
$string3 = "PhysicalDrive%u" wide ascii nocase
$cert1 = "Hermetica Digital Ltd" wide ascii nocase
condition:
uint16(0) == 0x5A4D and
all of them
}

Windows Defender

Windows Defender is already able to detect the malware if it has current signatures. Detections of the malware used are recognized by Windows Defender under the following name.

  DoS:Win32/ FoxBlade.A!dha

  DoS:Win32/ FoxBlade.A!dha

  TrojanDownloader:Win32/ PandoraBlade.A!dha

  Trojan:Win64/ PandoraBlade.B!dha

DIVIDE
Facebook f Twitter Linkedin-in Icon xing
OTHER CONTRIBUTIONS

Table of Contents