• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Update – Russian Nuclear Institute Hit by Anonymous Collective – Russian-Ukrainian Cyber Warfare
March 2, 2022
Rewterz Threat Alert – Ryuk Ransomware – Active IOCs
March 2, 2022

Rewterz Threat Alert – HermeticWiper and IsaacWiper – Active IOCs – Russian-Ukrainian Cyber Warfare

March 2, 2022

Severity

Medium

Analysis Summary

Trojan.Killdisk is a new disk-wiping malware recently discovered by security researchers. The wiper attacks are targeted towards Ukraine in support of the Russian invasion, and these signatures can also be seen in attacks in Lithuania. Targeted sectors are aviation, defense, IT services, and financial sector. 

HermeticWiper (Trojan.Killdisk) is interestingly digitally signed by a certificate issued to Hermetica Digital Ltd (the origin of the name). 

It contains 32-bit and 64-bit driver files which are compressed by the Lempel-Ziv algorithm stored in their resource section. The driver files are signed by a certificate issued to EaseUS Partition Master. The malware will drop the corresponding file according to the operating system (OS) version of the infected system. Driver file names are generated using the Process ID of the wiper. – Security Researchers

Upon execution, HermeticWiper will damage the MBR (Master Boot Record) of the victim’s system, which will render it inoperable. Organizations compromised using this wiper date back to November of 2021. A Microsoft SQL Server vulnerability was also used to attack organizations in Ukraine and along with the wiper, ransomware was also deployed against affected organizations.

After HermeticWiper, another data-wiper to hit Ukraine is the IsaacWiper which is less sophisticated than HermeticWiper but may be related to it. The wiper enumerates the physical and logical drives and then recursively wipes the files off of each disk. A new version of the data-wiper also contains debug logs. With log messages like:

  • getting drives…
  • start erasing physical drives…
  • –– start erasing logical drive
  • start erasing system physical drive…
  • system physical drive –– FAILED
  • start erasing system logical drive

Impact

  • Data Loss
  • File Encryption
  • Financial Loss

Indicators of Compromise

Filename

  • com[.]exe
  • conhosts[.]exe
  • c9EEAF78C9A12[.]dat
  • cc2[.]exe
  • cl64[.]dll
  • cld[.]dll
  • clean[.]exe
  • XqoYMlBX[.]exe

MD5

  • 84ba0197920fd3e2b7dfa719fee09d2f
  • 3f4a16b29f2f0532b7ce3e7656799125
  • d5d2c4ac6c724cd63b69ca054713e278
  • 6983f7001de10f4d19fc2d794c3eb534

SHA-256

  • 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
  • 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
  • 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
  • 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

SHA-1

  • 912342f1c840a42f6b74132f8a7c4ffe7d40fb77
  • 61b25d11392172e587d8da3045812a66c3385451
  • f32d791ec9e6385a91b45942c230f52aff1626df
  • 23873bf2670cf64c2440058130548d4e4da412dd

Remediation

  • Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner.
  • 2FA – Enable two-factor authentication.
  • Patch – Patch and upgrade any platforms and software timely. Prioritize patching known exploited vulnerabilities.
  • WAF – Set up a Web Application Firewall with rules to block suspicious and malicious requests.
  • Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
  • not publicly accessible.
  • Passwords – Implement strong passwords.
  • Logging – Log your eCommerce environment’s network activity and web server activity.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.