OVERVIEW

The HermeticWiper malware variant was first identified by researchers from ESET and Broadcom’s Symantec on February 23, 2022 and has been observed attacking Ukrainian government and organizations during the tensions between Ukraine and Russia. The variant has been observed as a wiper, similar in purpose to the NotPetya attack in 2017 and the more recent WhisperGate wiper variant of January 2022, which is to destroy data and render it unrecoverable.

TARGETING

HermeticWiper, as of February 2022, has been observed being used in an active campaign targeting Ukrainian government and related organizations.

DELIVERY

Hermetic’s method of delivery has not been confirmed as of January 2022, but speculation says it can be delivered as email attachments, malicious links, and social engineering. It was reported that one of the targeted organizations had the wiper dropped via GPO, meaning it already had initial access.

INSTALLATION

HeremeticWiper has been observed being installed by a malicious code-signed application, allowing it to circumvent initial security tooling. Then abuses legitimate drivers from EaseUS partition master software to execute the data corruption system wide.

PERSISTENCE

Persistence is achieved through the observed corruption of the Master Boot Record on all physical drives associated, rendering the victim host unrecoverable.

The post HermeticWiper appeared first on Cyborg Security.

*** This is a Security Bloggers Network syndicated blog from Cyborg Security authored by Josh Campbell. Read the original post at: https://www.cyborgsecurity.com/emerging-threat/hermeticwiper/