Ukraine was recently targeted by several wiper malware families. In January, WhisperGate, which was attributed to a Belarusian threat actor group known as Ghostwriter/UNC1151, targeted Ukraine’s government, non-profit, and technology verticals. On February 23, another wiper malware dubbed HermeticWiper or FoxBlade was used to target Ukraine. On February 24, a third wiper malware was observed targeting Ukrainian entities. This new malware was dubbed IsaacWiper. ESET recently published research on HermeticWiper and IsaacWiper.
What is HermeticWiper?
HermeticWiper, also known as FoxBlade, is an approximately 115 KB executable. The earliest known compile date was December 28, 2021, and one of the wiper executables was compiled on the same day the malware was deployed.
HermeticWiper has three components:
- HermeticWiper - a MBR wiper component
- HermeticWizard - a worm-like feature used to propagate the malware on the local network via WMI and SMB
- HermeticRansom - a decoy ransomware program written in Go and used to mask the true intent of the malware
While the initial infection vector is unknown, ESET observed one sample being deployed via GPO, suggesting the threat actors already had access to the victim’s Active Directory. They note Impacket may have also been used to deploy HermeticWiper. HermeticWiper wipes the master boot record (MBR), effectively destroying the disk structure. It also erases itself from the disk by overwriting its own file with random bytes in an attempt to thwart forensic analysis.
What is Isaac Wiper?
According to ESET, IsaacWiper is found in a Windows DLL or EXE with no Authenticode signature and was compiled on October 19, 2021, about two months before HermeticWiper. IsaacWiper was used in attacks on Ukrainian entities one day after HermeticWiper was used. The initial infection vector for IsaacWiper is currently unknown. Threat actors likely used tools such as Impacket for lateral movement. ESET observed RemCom, a remote access tool, deployed on some of the machines affected by IsaacWiper. IssacWiper attacks were first observed on February 24, with a second round of attacks on February 25. The second version of IsaacWiper included debug logs.
At present, HermeticWiper and IsaacWiper have not been attributed to a particular threat actor group or country. They were not used on the same targets, nor do they seem to share code. IsaacWiper is reportedly less sophisticated than HermeticWiper.
PolySwarm has multiple samples associated with HermeticWiper and IsaacWiper activity.