DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures 

Introduction 

During the early hours of Thursday 24 February 2022, Russia launched an attack on the country of Ukraine due to the ongoing dispute over its possible inclusion within NATO countries. This event has led to a tense geo-political climate within the eurozone. 

All the shared Initial information shows that the attack by Russian troops was anticipated by a series of cyber-attacks aimed at delaying communications and creating services interruptions in IT infrastructures of Ukrainian political and military bodies. 

The analyzed samples are connected to a new cyber tool dubbed DiskKill/HermeticWiper, this dangerous malware was designed to make every disk unusable connected to a server infected with the malicious code. 

According to the technical analysis of Yoroi CERT it has been observed the use of two distinct variants of the sample: one developed by the cyber-warfare departments of GRU, on 23 February at 12:48:53 of Moscow’s time zone, a day before the invasion, meanwhile the second one at 11:37:16 of Moscow’s time zone on 28 December 2021 58 days before the start of offensive operations in the Ukraine territory. 

CERT-Yoroi proceeded with an elevated urgency to analyze samples related to the current invasion retrieved from the European intelligence community. 

Technical Analysis 

HermeticWiper is a cyber weapon aimed at disrupting the victim system and making postmortem forensic analyses harder. It has been published on VirusTotal platform the day 2022-02-23 at 18:14:17 UTC 

The sample has the following static information 

Once executed, it tries to manipulate the privileges using the technique T1134 described in MITRE ATT&CK and elevate itself to “SeBackupPrivilege” and “SeLoadDriverPrivilege”. 

The code performing this manipulation is the following: 

 When these privileges are successfully gained, the malware can execute all its malicious operations, and the most disruptive is the disk and backup manipulation. DiskKill abuses legitimate drivers to manipulate and modify the disks. These drivers are located inside the sample’s resources as you can see from the following code: 

RCDATA Resource contains these drivers compiled for both 32 and 64-bit architectures, in order to adapt the right execution to the victim machine. Each resource is compressed by using ms-compress. In particular, the driver is a legit component of the “EaseUS Partition Master” tool, a widely used disk management utility. This allows attackers to manipulate and corrupt the accesses to the disk drives leveraging the LOLbas attack methods. 

 After loading the necessary drivers, the malware stores the just extracted file into the special path %System32%, before using it:  

Then, the sample proceeds to disable the dump feature in case of a crash modifying the registry key “HKLM\SYSTEM\CurrentControlSet\Control\CrashControl” 

 Another interesting capability presented by the sample is to the Shadow Copy service disabling, in order to avoid even a partial recovery of the files and the  

The destructive capability of the malware is tampering and wiping the disk data, by carrying out a cycle of 100 iterations on the “\\.\PhysicalDrive” object who it can access thanks to the permissions it gained before thanks to DeviceIoControl: 

Once the malware gets access to the disk, it checks if it uses NTFS or FAT file systems, through parsing the table formats. After that, depending on the case it starts to compromise the drives by using the functions “CryptAcquireContextW” and “CryptGenRandom” from the Microsoft Crypto API. 

Another interesting feature of the sample is the use of multi-threaded functions to execute all the malicious operations, efficiently parallelizing every malicious activity on the disk. 

 Conclusion 

HermeticWiper is a new type of sabotage malware aimed to slowing down the communications among the critical infrastructures in Ukraine. In this moment, there are no evidence of cyber-attacks of this kind are targeting other parts of the world, anyway, it is comprehensible that organizations need to re-evaluate their current cyber-risk, considering the fact that we are possibly entering into a larger cyber operation. 

However, during these last critical hours, where the real war has been anticipated by the spreading of sabotage cyber weapons, like DDoS attacks and wipers, like this one just analyzed, in the other part of the world, many companies and organizations are shocked and are going into a panic. The cyber defender job is lead by ethics, and critical thinking to analyze and provide the strategy to protect our customers from cyber-attacks in the best way, trying to limit the panic and the confusion created by such attacks, and at the same time by providing actionable information for our customers, and the security community. 

Indicator of Compromise

• 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 
• 96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84 
• 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da 

Yara  Rules

rule hermetic_wiper { 
    meta:  
        description = "Yara rule for the detection of DiskKill/HermeticWiper sample"  
        author = "Yoroi Malware ZLab" 
        last_updated = "2022-02-24"  
        tlp = "WHITE" 
        category = “informational” 
    
    strings: 
        $a = {458c660fd6459cffd350ffd78bf885ff0f84f70000006a008d8578ffffff506a60576a006a006864000900ff75a4ff1564504000576a0085c07510ffd38b3d70} 

    condition: 
        $a and uint16(0) == 0x5A4D 
} 

This blog post was authored by Luigi Martire, Carmelo Ragusa, and Luca Mella of Yoroi Malware ZLAB