In the hours before Russia launched its assault on Ukraine Wednesday, new wiper malware was spotted targeting Ukrainian financial businesses and government contractors.
With the benefit of a few more hours to deconstruct the malware — dubbed HermeticWiper by ESET — SentinelLabs has developed a fuller picture of how it works and some of its secrets. Most surprising: the malware appears to obliterate a system, then keep looking for additional critical folders.
ESET was first to discover HermeticWiper, with Broadcom's Symantec contributing additional public research Wednesday. ESET noted telemetry showing the wiper was installed on hundreds of machines in Ukraine, and Symantec said it had also seen the malware on systems in Latvia and Lithuania. Both Latvia and Lithuania are, notably, NATO nations.
No vendor, including SentinelOne, has attributed the attack to Russia, though ESET believes the attack is likely connected to the invasion. Russia has launched a massive wiper attack in Ukraine at least once before — 2017's NotPetya, which would quickly spread out of Ukraine — and Ukraine attributed a separate wiper attack in January to Russia. Ukraine has faced two rounds of coordinated SMS spam and DDoS attacks against banks, most recently on Wednesday, widely speculated to have come from Russia.
Early Thursday morning, SentinelLabs released its early findings from reverse compiling the malware. SentinelLabs notes that the malware corrupts the master boot record of all physical drives — which alone should render the system inoperable — but then further corrupts up to 100 partitions of each physical drive in the same manner. After obliterating systems multiple times over, it then searches for master file table (MFT) streams $bitmap and $logfile and NTFS streams $DATA, $I30 and $INDEX_ALLOCATION, common folders like "My Documents," "Desktop" and "AppData," and makes some references to the registry and Windows Event Logs. But SentinelLabs is unclear why it does any of this for a system that will be destroyed upon a reboot the malware automatically triggers.
SentinelLabs confirmed several aspects of ESET's reporting: HermeticWiper using a security certificate licensed to a company called Hermetica DIgital and that the physical drive portion of the attack used the EaseUS driver. SentinelLabs added that the empntdrv.sys driver was used in the partition component of the attack. It also added that the attackers corrupted logging during their stay and detailed the exact method of tampering with the MBRs.
SentinelLabs lists indicators of compromise in its report, but said SentinelOne customers are already protected from the attack.