Background
Ukraine was recently targeted by several wiper malware families. In January, WhisperGate, which was attributed to a Belarusian threat actor group known as Ghostwriter/UNC1151, targeted Ukraine’s government, non-profit, and technology verticals. On February 23, another wiper malware dubbed HermeticWiper or FoxBlade was used to target Ukraine. On February 24, a third wiper malware was observed targeting Ukrainian entities. This new malware was dubbed IsaacWiper. ESET recently published research on HermeticWiper and IsaacWiper.
What is HermeticWiper?
HermeticWiper, also known as FoxBlade, is an approximately 115 KB executable. The earliest known compile date was December 28, 2021, and one of the wiper executables was compiled on the same day the malware was deployed.
HermeticWiper has three components:
- HermeticWiper - a MBR wiper component
- HermeticWizard - a worm-like feature used to propagate the malware on the local network via WMI and SMB
- HermeticRansom - a decoy ransomware program written in Go and used to mask the true intent of the malware
While the initial infection vector is unknown, ESET observed one sample being deployed via GPO, suggesting the threat actors already had access to the victim’s Active Directory. They note Impacket may have also been used to deploy HermeticWiper. HermeticWiper wipes the master boot record (MBR), effectively destroying the disk structure. It also erases itself from the disk by overwriting its own file with random bytes in an attempt to thwart forensic analysis.
What is Isaac Wiper?
According to ESET, IsaacWiper is found in a Windows DLL or EXE with no Authenticode signature and was compiled on October 19, 2021, about two months before HermeticWiper. IsaacWiper was used in attacks on Ukrainian entities one day after HermeticWiper was used. The initial infection vector for IsaacWiper is currently unknown. Threat actors likely used tools such as Impacket for lateral movement. ESET observed RemCom, a remote access tool, deployed on some of the machines affected by IsaacWiper. IssacWiper attacks were first observed on February 24, with a second round of attacks on February 25. The second version of IsaacWiper included debug logs.
At present, HermeticWiper and IsaacWiper have not been attributed to a particular threat actor group or country. They were not used on the same targets, nor do they seem to share code. IsaacWiper is reportedly less sophisticated than HermeticWiper.
IOCs
PolySwarm has multiple samples associated with HermeticWiper and IsaacWiper activity.
HermeticWiper
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397
3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84
8c614cf476f871274aa06153224e8f7354bf5e23e6853358591bf35a381fb75b
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 (HermeticRansom)
IsaacWiper
912342f1c840a42f6b74132f8a7c4ffe7d40fb77
61b25d11392172e587d8da3045812a66c3385451
f32d791ec9e6385a91b45942c230f52aff1626df
736a4cfad1ed83a6a0b75b0474d5e01a3a36f950
23873bf2670cf64c2440058130548d4e4da412dd
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
