HermeticWiper malware: hands-on details of the Ukraine cyberattack

Gain insights into the notorious state-sponsored HermeticWiper cyberattack that hit Ukraine right before the unprovoked Russian invasion.

Today we’ll be talking about the HermeticWiper malware that has been used by the Russians against Ukraine. Now, a piece of malware may seem like a relatively trivial matter when we’re talking about a real war with troops on the ground, rockets raining from above, but it’s actually not. Now, I do have a sample of this malware on the desktop and we’re just going to run it while we talk about some of the things it does.

So first of all, this is a wiper malware, meaning its main purpose is to disable or render inactive systems that it’s run on. The way it does that, of course, in traditional ransomware fashion is it’s going to destroy your MBR, your master boot record, and disable services. So if this was a system that was hosting a website, say, of the Ukrainian government, a bank, then it would just go down. And it does take a while to activate. They also kind of tried to hide this by using ransomware as a decoy.

So they had this little ransom note, which was actually fake, of course, to mislead people into thinking they were hit by ransomware when actually they were hit by this Russian wiper malware.

Given the prevalence of ransomware attacks, I can see how this would be an effective way of cloaking the intentions of the Russian cyberattacks. Now, as the sample is executing, we’re going to look at some of its capabilities. But before that, we also should consider the impact that cyber threats like this can have.

Here’s the thing, when we talk about something as broad as a country’s military, we reduce it down to numbers for simplicity. But it doesn’t mean that the military is a resource. A lot of things determine how the military is going to fare, including things like troops’ morale, the ability to communicate, the military command, different hierarchies being able to talk to each other and organize. And if a cyberattack takes out all of those communication capabilities, or even misleads them, it can quickly lead to the military command breaking down and individuals fleeing or giving up their positions just because there’s no clear mission for them to do. And such a tool can be highly effective.

But we’ll take a look at some of the things that this file does. So we’ve got some bootkit behavior and the ability to impair defenses, disable or modify tools. We can see that some of the registry activity is actually similar to the dark side, not a surprise. Got some file activity as well. We’ve got some drivers being written and there’s quite a lot of modifications happening in the registry. If we go back to the original file and take a deeper look at the capabilities of the wiper itself, it’s got abilities in execution, persistence, privilege escalation, and discovery. It does take a while to activate though.

So our virtual machine is still oblivious to the sample that’s running in the background. If we open the Task Manager, it’s going to be visible.

I like how it’s got this nice gift icon. It’s like it’s a gift from Russia. It’s just sitting in memory and you don’t notice a lot happening. So it’s very easy to ignore. Unlike ransomware, it does not ramp up your CPU activity to 80 or 90% that if you’re monitoring a server, you’d notice it. Now another interesting thing to note while this malware is running is that it’s incredibly hard to detect wiper malware. Some of these have very low detections on VirusTotal. When this came out, I think it had 14 out of 70 detections.

I have noticed in the past as well with wiper malware that a lot of the behavioral defenses that will pick up threats like ransomware will totally be ineffective against wipers. It’s also worth noting that these sorts of attacks are usually also accompanied with distributed denial of service (DDoS). And in combination, it can just render a lot of the services that are critical to a country’s functioning disabled.

Now, the good news is in this specific case, this cyberattack against Ukraine wasn’t particularly successful. I think most of the websites recovered fairly quickly. But it’s not hard to imagine the kind of impact this would have if it totally disrupted communication systems at a crucial point in time. Alright, so the sample has been running in the background for a while and it may seem like the system is normal, nothing has happened, but if we open one of our files, as you will see, the data inside is gone already. This is what the data looks like now. It has all been wiped.

So it’s been several minutes since and we’ve just had a BSOD, and now the system is no longer going to work. This malware is particularly devastating because it doesn’t care about getting some sort of ransom or a bargaining position with the victim. It just seeks to destroy your system outright. And if something like this were to hit major businesses, government organizations, it would be disaster territory very quickly if you don’t have backup systems that are isolated and not hit. It could take down services and cause mass confusion, especially as we begin to rely more and more on digital technologies for things we do in everyday life, for our money, for our food, for our communications.

This could be the future of warfare. So for those of you who are still not convinced about the importance of cybersecurity, I think this is a reminder that that’s the world we live in. It’s only going to get more important from here. Defending yourself from such attacks is increasingly crucial because there might be a spillover of such incidents as there was with the NotPetya attacks. We could see the sample being used against businesses or accidentally hitting businesses. It’s really important to understand the repercussions of cyberattacks in a time like this. And as always, stay informed, stay secure, and stay safe Ukraine.