Written by: Amit Malik
As the Russian invasion of Ukraine enters its second week, we’ve seen the tragic physical toll being taken on the battlefield accompanied by extensive cyber warfare. State-sponsored Russian threat actors and cyber criminals have launched a cyber offensive attacking several government and private organizations in Ukraine. These hybrid warfare attacks target Ukraine's critical infrastructure with the aim of causing disruption of services.
So far the cyberattacks we’ve seen have been confined to Ukraine and Russia, and as of this writing there are no reports of cyberattacks affecting any NATO or allied countries. But that doesn’t mean that organizations shouldn't be taking steps to harden their systems and prepare security teams to utilize the latest intelligence from the cyber battlefield.
Amongst the malware attacks identified so far by the threat intelligence community, there is use of new destructive wipers that make the system inoperable by overwriting the MBR (Master Boot Record). The U.S. FBI and Cybersecurity and Infrastructure Security Agency (CISA) have also released an advisory on recommended guidance and considerations for organizations to address destructive malware, noting “Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries.”
This blog post will provide details of the malware attacks against Ukraine and also detail the Uptycs EDR generic detection capabilities for destructive wipers.
Disk wipers also known as killdisk or wiper is a family of malware that has existed for several years. These are mostly deployed in targeted and APT attacks with the intention of making the system or its dependent resources unavailable.
These malware are known to wipe out the entire system and make the data unrecoverable. This is mostly performed by overwriting the MBR (Master Boot Record) with random custom values making the machine inoperable.
The MBR, also referred to as the boot loader, is a critical component of the machine which holds the information on how the logical partitions containing file systems are organized. The MBR also contains executable code to function as a loader for the installed operating system that resides in the first sector of the hard disk.
Based on the threat intelligence and reports, Uptycs has analyzed the following destructive wipers:
- Issac Wiper
A brief description and operation of the destructive wipers is listed below.
HermeticWiper, also referred to as Foxblade, hit the news with reports of the malware targeting the Ukrainian organizations and overwriting data in the MBR, thereby resulting in boot failure.
HermeticWiper was identified to be signed with a digital certificate issued in the name of “Hermetica Digital Ltd'' which seemed to be a fake organization. The resource section of the binary contains an embedded EaseUs partition manager driver “empndrv.sys”. There are four drivers embedded into the resource that supports Windows XP and higher versions (see Figure 1).
Figure 1: HermeticWiper resource directory
These drivers are installed in the system as service and are used to wipe out the MBR. This is performed by corrupting the first 512 bytes of all physical drives connected to the system (see Figure 2).
Figure 2: HermeticWiper MBR overwrite snippet
The malware also disables the crash dump Volume Shadow Service (VSS) and corrupts Windows Event Logs with an intention of destroying any forensic evidence of its activity and hampering efforts to recover the erased data.
Whispergate is another destructive wiper targeting Ukrainian entities by overwriting the MBR (Master Boot Record) and files. Whispergate overwrites the MBR which is at Physicaldrive0 and is also capable of overwriting files (see Figure 3).
Figure 3: Whispergate MBR overwrite snippet
IssacWiper is the latest destructive wiper targeting Ukraine. The malware is a DLL file calling the export “_Start@4” using rundll32. Upon execution, a log file “C:\ProgramData\log.txt” is created to log the failure and successes to the malware execution (See Figure 4).
Figure 4: IssacWiper log file
The malware then proceeds to overwrite the MBR.
Figure 5: IsaacWiper MBR overwrite snippet
For Uptycs Customers Using EDR
The Uptycs EDR has ensured detection coverage for all known variants of destructive wipers with our generic MBR detection component alongside with the YARA rules. An excerpt of the detection of HermeticWiper with a threat score of 10/10 in Uptycs EDR is shown below (See Figure 6).
Figure 6: HermeticWiper detection in Uptycs EDR
The Uptycs Threat Research Team is closely monitoring the threat groups and malware tied to the ongoing Russian invasion and adding comprehensive coverage to the Uptycs EDR.