1. Home
  2. Software
  3. HermeticWiper

HermeticWiper

HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukraine with additional activity observed in Latvia and Lithuania. Some sectors targeted include government, financial, defense, aviation, and IT services.[1][2][3][4][5]

ID: S0697
Associated Software: Trojan.Killdisk, DriveSlayer
Type: MALWARE
Platforms: Windows
Contributors: Mayuresh Dani, Qualys; Harshal Tupsamudre, Qualys
Version: 1.1
Created: 25 March 2022
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
Trojan.Killdisk

[6][2]
DriveSlayer

[7][3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

HermeticWiper has used the name postgressql.exe to mask a malicious payload.[8]
Enterprise T1112 修改注册表

HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.[1][3][5]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

HermeticWiper can load drivers by creating a new service using the CreateServiceW API.[3]
Enterprise T1140 反混淆/解码文件或信息

HermeticWiper can decompress and copy driver files using LZCopy.[3]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

HermeticWiper can use cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1 to deploy on an infected system.[8]
Enterprise T1484 .001 域或租户策略修改: Group Policy Modification

HermeticWiper has the ability to deploy through an infected system's default domain policy.[8]
Enterprise T1562 .006 妨碍防御: Indicator Blocking

HermeticWiper has the ability to set the HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled Registry key to 0 in order to disable crash dumps.[1][3][5]
Enterprise T1485 数据销毁

HermeticWiper can recursively wipe folders and files in Windows, Program Files, Program Files(x86), PerfLogs, Boot, System, Volume Information, and AppData folders using FSCTL_MOVE_FILE. HermeticWiper can also overwrite symbolic links and big files in My Documents and on the Desktop with random bytes.[8]
Enterprise T1083 文件和目录发现

HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.[1][5]
Enterprise T1489 服务停止

HermeticWiper has the ability to stop the Volume Shadow Copy service.[5]
Enterprise T1106 本机API

HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.[1][3][8][5]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.[2][3][5]
Enterprise T1561 .001 磁盘擦除: Disk Content Wipe

HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.[3][1]
.002 磁盘擦除: Disk Structure Wipe

HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.[1][2][3][5]
Enterprise T1070 移除指标

HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.[3][8]
.001 Clear Windows Event Logs

HermeticWiper can overwrite the C:\Windows\System32\winevt\Logs file on a targeted system.[8]
.004 File Deletion

HermeticWiper has the ability to overwrite its own file with random bites.[3][8]
Enterprise T1082 系统信息发现

HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.[1][3][8][5]
Enterprise T1529 系统关机/重启

HermeticWiper can initiate a system shutdown.[1][5]
Enterprise T1490 系统恢复抑制

HermeticWiper can disable the VSS service on a compromised host using the service control manager.[3][8][5]
Enterprise T1569 .002 系统服务: Service Execution

HermeticWiper can create system services to aid in executing the payload.[1][3][5]
Enterprise T1497 .003 虚拟化/沙盒规避: Time Based Evasion

HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.[3]
Enterprise T1134 访问令牌操控

HermeticWiper can use AdjustTokenPrivileges to grant itself privileges for debugging with SeDebugPrivilege, creating backups with SeBackupPrivilege, loading drivers with SeLoadDriverPrivilege, and shutting down a local system with SeShutdownPrivilege.[5][3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

HermeticWiper has the ability to use scheduled tasks for execution.[2]
Enterprise T1553 .002 颠覆信任控制: Code Signing

The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.[2][3][4][5]

References

  1. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  2. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
  3. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  4. ESET. (2022, February 24). HermeticWiper: New data wiping malware hits Ukraine. Retrieved March 25, 2022.
  1. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  2. CISA. (2022, February 26). Destructive Malware Targeting Organizations in Ukraine. Retrieved March 25, 2022.
  3. Crowdstrike. (2022, March 1). Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities. Retrieved March 1, 2022.
  4. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.