Summary
In January 2022, Netskope analyzed a destructive malware named WhisperGate, wiping files and corrupting disks during the aftermath of a geopolitical conflict in Ukraine. On February 24, the conflict escalated with Russian attacks in Ukraine, followed by a series of DDoS attacks against Ukrainian websites.
On February 24, 2022, a new malware called HermeticWiper was found in hundreds of computers in Ukraine. HermeticWiper corrupts disks on infected systems, similar to WhisperGate. However, HermeticWiper is a more complex malware, implementing techniques to avoid detection. In this blog post, we will analyze this new threat to demonstrate how it works.
Analysis
We have analyzed two different HermeticWiper files, both digitally signed with a certificate issued to Hermetica Digital Ltd and valid until April 14, 2022.
Although this information can be easily changed, the first file was apparently compiled on December 28, 2021, while the second one was compiled on February 23, 2022.
The two samples are 99% equal. The only difference is a small addition to the newer file within the main function.