Attached is a security advisory regarding new findings on the HermeticWiper malware used, which is currently being used increasingly in attacks against Ukrainian companies and institutions.
This is malicious code that was previously unknown in this form and may not yet be recognized across the board by common virus protection solutions. Since the targets of these attacks cannot be reliably defined and the situation can change dramatically within a very short time, we strongly recommend protecting yourself against attacks with the malware in question.
Preventive measures are particularly important because
Updates: The installation of existing security updates for operating systems and software is generally recommended in order to keep the attack surface for an initial compromise, which can then be used to spread the malware, as small as possible.
We recommend the antivirus solutions used, Endpoint Protection Systems and other protection systems that can detect signature-based threats with the attached IoCs and detection rules.
The following hash values of the malware are known:
HermeticWiper | SHA1 |
Win32 EXE | 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 |
Win32 EXE | 61b25d11392172e587d8da3045812a66c3385451 |
The hash values of the deployed drivers (ms-compressed) are shown in the following listing. Since the EaseUS drivers are legitimate, they might generate false positives. However, they can still serve to provide an indication of a possible compromise.
ms-compressed | SHA1 |
RCDATA_DRV_X64 | a952e288a1ead66490b3275a807f52e5 |
RCDATA_DRV_X86 | 231b3385ac17e41c5bb1b1fcb59599c4 |
RCDATA_DRV_XP_X64 | 095a1678021b034903c85dd5acb447ad |
RCDATA_DRV_XP_X86 | eb845b7a16ed82bd248e395d9852f467 |
Yara rules can only detect, they do not prevent execution. However, detection makes it possible to react quickly.
The following Yara rule is used to search for what has already been deployed
NEARMISS on their own systems:
rule MAL_HERMETIC_WIPER {
meta:
desc = "HermeticWiper - broad hunting rule"
author = "Friends @ SentinelLabs"
version = "1.0"
last_modified = "02.23.2022"
hash =
"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
strings:
$string1 = "DRV_XP_X64" wide ascii nocase
$string2 = "EPMNTDRV\\%u" wide ascii nocase
$string3 = "PhysicalDrive%u" wide ascii nocase
$cert1 = "Hermetica Digital Ltd" wide ascii nocase
condition:
uint16(0) == 0x5A4D and
all of them
}
Windows Defender is already able to detect the malware if it has current signatures. Detections of the malware used are recognized by Windows Defender under the following name.
DoS:Win32/ FoxBlade.A!dha
DoS:Win32/ FoxBlade.A!dha
TrojanDownloader:Win32/ PandoraBlade.A!dha
Trojan:Win64/ PandoraBlade.B!dha