Summary
In January 2022, Netskope analyzed a destructive malware named WhisperGate, wiping files and corrupting disks during the aftermath of a geopolitical conflict in Ukraine. On February 24, the conflict escalated with Russian attacks in Ukraine, followed by a series of DDoS attacks against Ukrainian websites.
On February 24, 2022, a new malware called HermeticWiper was found in hundreds of computers in Ukraine. HermeticWiper corrupts disks on infected systems, similar to WhisperGate. However, HermeticWiper is a more complex malware, implementing techniques to avoid detection. In this blog post, we will analyze this new threat to demonstrate how it works.
Analysis
We have analyzed two different HermeticWiper files, both digitally signed with a certificate issued to Hermetica Digital Ltd and valid until April 14, 2022.
Although this information can be easily changed, the first file was apparently compiled on December 28, 2021, while the second one was compiled on February 23, 2022.
The two samples are 99% equal. The only difference is a small addition to the newer file within the main function.
Looking at the code that was added, it’s checking the presence of “C:\Windows\SYSVOL”, which is a folder that exists in every domain controller, containing public files shared across the domain. If the folder exists, the code skips additional steps that reference common folders such as “Desktop” and “AppData”, which we show later in this analysis.
Once running, HermeticWiper adjusts its privileges by enabling SeBackupPrivilege and SeShutdownPrivilege tokens via AdjustTokenPrivileges API. With both enabled tokens, the malware can access any file in the system, bypassing the access control list (ACL), and can shut down the system.
Then, it dynamically resolves three APIs from “kernel32.dll” using a common technique via GetModuleHandle and GetProcAddress.