Summary
The threat intelligence community has seen a new wiper malware sample known as “HermeticWiper” circulating in Ukrainian enterprises, and investigation suggests that a signed driver is being used to deliver a wiper that targets Windows devices, modifying the MBR and causing boot failure as a result.
Indicators of Compromise
| HermeticWiper | SHA1 |
| Win32 EXE | 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 |
| Win32 EXE | 61b25d11392172e587d8da3045812a66c3385451 |
| ms-compressed | SHA1 |
| RCDATA_DRV_X64 | a952e288a1ead66490b3275a807f52e5 |
| RCDATA_DRV_X86 | 231b3385ac17e41c5bb1b1fcb59599c4 |
| RCDATA_DRV_XP_X64 | 095a1678021b034903c85dd5acb447ad |
| RCDATA_DRV_XP_X86 | eb845b7a16ed82bd248e395d9852f467 |
Recommendations
- Companies must keep their systems up to date.
- Organizations SHOULD ALWAYS keep an eye on network traffic for malicious activity sent by threat actors.
- Organizations must regularly raise awareness about social engineering instances and offer workshops and trainings on how to protect themselves from such attacks.
- Using intrusion detection and prevention systems will assist keep the network in good shape.
- Make use of advanced e-mail security software.
- Make use of powerful end-point protection and detection solutions that include ransomware rollback capabilities.
Reference
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
