www.sentinelone.com
Open in
urlscan Pro
104.26.3.18
Public Scan
Submitted URL: https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/'
Effective URL: https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
Submission: On April 26 via api from CA — Scanned from CA
Effective URL: https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
Submission: On April 26 via api from CA — Scanned from CA
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg">
</span>
<span class="dark">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1467789052">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1467762177">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
*
*
* ABOUT
* CONTACT
* VISIT SENTINELONE.COM
Back
* ABOUT
* CONTACT
* VISIT SENTINELONE.COM
Advanced Persistent Threat
HERMETICWIPER | NEW DESTRUCTIVE MALWARE USED IN CYBER ATTACKS ON UKRAINE
Juan Andrés Guerrero-Saade / February 23, 2022
This post was updated Feb 28th 2022 to include new IOCs and the PartyTicket
‘decoy ransomware’.
EXECUTIVE SUMMARY
* On February 23rd, the threat intelligence community began observing a new
wiper malware sample circulating in Ukrainian organizations.
* Our analysis shows a signed driver is being used to deploy a wiper that
targets Windows devices, manipulating the MBR resulting in subsequent boot
failure.
* This blog includes the technical details of the wiper, dubbed HermeticWiper,
and includes IOCs to allow organizations to stay protected from this attack.
* This sample is actively being used against Ukrainian organizations, and this
blog will be updated as more information becomes available.
* We also analyze a ‘ransomware’, called PartyTicket, reportedly used as a
decoy during wiping operations.
* SentinelOne customers are protected from this threat, no action is needed.
BACKGROUND
On February 23rd, our friends at Symantec and ESET research tweeted hashes
associated with a wiper attack in Ukraine, including one which is not publicly
available as of this writing.
We started analyzing this new wiper malware, calling it ‘HermeticWiper’ in
reference to the digital certificate used to sign the sample. The digital
certificate is issued under the company name ‘Hermetica Digital Ltd’ and valid
as of April 2021. At this time, we haven’t seen any legitimate files signed with
this certificate. It’s possible that the attackers used a shell company or
appropriated a defunct company to issue this digital certificate.
HermeticWiper Digital Signature
This is an early effort to analyze the first available sample of HermeticWiper.
We recognize that the situation on the ground in Ukraine is evolving rapidly and
hope that we can contribute our small part to the collective analysis effort.
TECHNICAL ANALYSIS
At first glance, HermeticWiper appears to be a custom-written application with
very few standard functions. The malware sample is 114KBs in size and roughly
70% of that is composed of resources. The developers are using a tried and
tested technique of wiper malware, abusing a benign partition management driver,
in order to carry out the more damaging components of their attacks. Both the
Lazarus Group (Destover) and APT33 (Shamoon) took advantage of Eldos Rawdisk in
order to get direct userland access to the filesystem without calling Windows
APIs. HermeticWiper uses a similar technique by abusing a different driver,
empntdrv.sys.
HermeticWiper resources containing EaseUS Partition Manager drivers
The copies of the driver are ms-compressed resources. The malware deploys one of
these depending on the OS version, bitness, and SysWow64 redirection.
EaseUS driver resource selection
The benign EaseUS driver is abused to do a fair share of the heavy-lifting when
it comes to accessing Physical Drives directly as well as getting partition
information. This adds to the difficulty of analyzing HermeticWiper, as a lot of
functionality is deferred to DeviceIoControl calls with specific IOCTLs.
MBR AND PARTITION CORRUPTION
HermeticWiper enumerates a range of Physical Drives multiple times, from 0-100.
For each Physical Drive, the \\.\EPMNTDRV\ device is called for a device number.
The malware then focuses on corrupting the first 512 bytes, the Master Boot
Record (MBR) for every Physical Drive. While that should be enough for the
device not to boot again, HermeticWiper proceeds to enumerate the partitions for
all possible drives.
They then differentiate between FAT and NTFS partitions. In the case of a FAT
partition, the malware calls the same ‘bit fiddler’ to corrupt the partition.
For NTFS, the HermeticWiper parses the Master File Table before calling this
same bit fiddling function again.
MFT parsing and bit fiddling calls
We euphemistically refer to the bit fiddling function in the interest of
brevity. Looking through it, we see calls to Windows APIs to acquire a
cryptographic context provider and generate random bytes. It’s likely this is
being used for an inlined crypto implementation and byte overwriting, but the
mechanism isn’t entirely clear at this time.
Further functionality refers to interesting MFT fields ($bitmap, $logfile) and
NTFS streams ($DATA, $I30, $INDEX_ALLOCATION). The malware also enumerates
common folders (‘My Documents’, ‘Desktop’, ‘AppData’), makes references to the
registry (‘ntuser’), and Windows Event Logs
("\\\\?\\C:\\Windows\\System32\\winevt\\Logs"). Our analysis is ongoing to
determine how this functionality is being used, but it is clear that having
already corrupted the MBR and partitions for all drives, the victim system
should be inoperable by this point of the execution.
Along the way, HermeticWiper’s more mundane operations provide us with further
IOCs to monitor for. These include the momentary creation of the abused driver
as well as a system service. It also modifies several registry keys, including
setting the SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled key
to 0, effectively disabling crash dumps before the abused driver’s execution
starts.
Disabling CrashDumps via the registry
Finally, the malware waits on sleeping threads before initiating a system
shutdown, finalizing the malware’s devastating effect.
A DECOY RANSOMWARE – PARTYTICKET
On February 24th, 2022, Symantec researchers pointed to a new Go ransomware
being used as a decoy alongside the deployment of HermeticWiper. During out
analysis we decided to name it PartyTicket based on some of the strings used by
the malware developers:
The idea of using a ransomware as a decoy for a wiper is counterintuitive. In
particular, a ransomware as poorly coded as PartyTicket is more likely to tie up
resources during the execution of an otherwise efficient wiper.
As often happens to amateur Go developers, the malware has poor control over its
concurrent threads and the commands it attempts to run. This leads to hundreds
of threads and events spawned in our consoles. That is to say, it’s a very loud
and ineffective ransomware that should fire alerts left and right.
The folder organization and function naming conventions within the binary show
the developer’s intent for taunting the U.S. Government and the Biden
administration.
Project folders and function names referring to the Biden Administration
Similar taunting can be found in the ransom note after execution:
In trying to understand the execution flow of PartyTicket, we see the
403forBiden.wHiteHousE.primaryElectionProcess() function recursively enumerating
folders:
PartyTicket looping over non-system folders
The resulting number of folders will be used as an upperbound for concurrent
threads, a mistake by the Go devs as that effectively ties up all of the
system’s resources. While the files found are all queued into a channel for the
threads to reference.
PartyTicket generating concurrent threads
The function indirectly called for each thread is
main.subscribeNewPartyMember(). It in turn takes a filename, makes a copy with a
<UUID>.exe name and deletes the original file. Then we expect a second loop to
relieve that queue of files and run each through a standard Go AES crypto
implementation. However, execution is unlikely to get this far with the current
design of PartyTicket.
(Thanks to Joakim Kennedy (Intezer) for pointing out this indirect call)
Crypto routine for files queued in the ‘salary’ channel
Overall our analysis of PartyTicket indicates it to be a rather simple, poorly
coded, and loud malware. Its possible role as a decoy ransomware deployed
alongside HermeticWiper is more likely to be effective for its accidental
hogging of the victim organization’s system resources rather than the encryption
of files itself. IOCs and Yara rules have been added below.
CONCLUSION
After a week of defacements and increasing DDoS attacks, the proliferation of
sabotage operations through wiper malware is an expected and regrettable
escalation. At this time, we have a very small sliver of aperture into the
attacks in Ukraine and subsequent spillover into neighboring countries and
allies. If there’s a silver lining to such a difficult situation, it’s seeing
the open collaboration between threat intel research teams, independent
researchers, and journalists looking to get the story straight. Our thanks to
the researchers at Symantec, ESET, Stairwell, and RedCanary among others who’ve
contributed samples, time, and expertise.
SENTINELONE CUSTOMERS PROTECTED
INDICATORS OF COMPROMISE
(Updated February 28th, 2022)
ms-compressed resources SHA1 RCDATA_DRV_X64
5ceebaf1cbb0c10b95f7edd458804a646c6f215e RCDATA_DRV_X86
0231721ef4e4519ec776ff7d1f25c937545ce9f4 RCDATA_DRV_XP_X64
9c2e465e8dfdfc1c0c472e0a34a7614d796294af RCDATA_DRV_XP_X86
ee764632adedf6bb4cf4075a20b4f6a79b8f94c0
HermeticWiper SHA1 Win32 EXE 0d8cc992f279ec45e8b8dfd05a700ff1f0437f29 Win32 EXE
61b25d11392172e587d8da3045812a66c3385451 Win32 EXE
912342f1c840a42f6b74132f8a7c4ffe7d40fb77 Win32 EXE
9518e4ae0862ae871cf9fb634b50b07c66a2c379 Win32 EXE
d9a3596af0463797df4ff25b7999184946e3bfa2
PartyTicket SHA-1 Win32 EXE f32d791ec9e6385a91b45942c230f52aff1626df
YARA RULES
(https://github.com/SentineLabs/Yara/blob/main/APT_RU_SunFlowerSeed.yar)
import "pe"
rule MAL_HERMETIC_WIPER {
meta:
desc = "Hermetic Wiper - broad hunting rule"
author = "Hegel @ SentinelLabs"
version = "1.0"
last_modified = "02.23.2022"
hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
reference = "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
strings:
$string1 = "DRV_XP_X64" wide ascii nocase
$string2 = "EPMNTDRV\\%u" wide ascii nocase
$string3 = "PhysicalDrive%u" wide ascii nocase
$cert1 = "Hermetica Digital Ltd" wide ascii nocase
condition:
uint16(0) == 0x5A4D and
all of them
}
rule MAL_PARTY_TICKET {
meta:
desc = "PartyTicket / HermeticRansom Golang Ransomware - associated with HermeticWiper campaign"
author = "Hegel @ SentinelLabs"
version = "1.0"
last_modified = "02.24.2022"
hash = "4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382"
reference = "https://twitter.com/juanandres_gs/status/1496930731351805953"
strings:
$string1 = "/403forBiden/" wide ascii nocase
$string2 = "/wHiteHousE/" wide ascii
$string3 = "vote_result." wide ascii
$string4 = "partyTicket." wide ascii
$buildid1 = "Go build ID: \"qb0H7AdWAYDzfMA1J80B/nJ9FF8fupJl4qnE4WvA5/PWkwEJfKUrRbYN59_Jba/2o0VIyvqINFbLsDsFyL2\"" wide ascii
$project1 = "C:/projects/403forBiden/wHiteHousE/" wide ascii
condition:
uint16(0) == 0x5A4D and
(2 of ($string*) or
any of ($buildid*) or
any of ($project*))
}
rule MAL_COMPROMISED_HERMETICA_CERT {
meta:
desc = "Hermetica Cert - broad hunting rule based on the certificate used in HermeticWiper and HermeticWizard"
author = "Hegel @ SentinelLabs"
version = "1.0"
last_modified = "03.01.2022"
hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
reference = "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/"
condition:
uint16(0) == 0x5a4d and
for any i in (0 .. pe.number_of_signatures) : (
pe.signatures[i].issuer contains "DigiCert EV Code Signing CA" and
pe.signatures[i].serial == "0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec"
)
}
rule MAL_ISSAC_WIPER {
meta:
desc = "Issac Wiper - broad hunting rule"
author = "Hegel @ SentinelLabs"
version = "1.0"
last_modified = "03.01.2022"
hash = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/"
strings:
$name1 = "Cleaner.dll" wide ascii
$name2 = "cl.exe" wide ascii nocase
$name3 = "cl64.dll" wide ascii nocase
$name4 = "cld.dll" wide ascii nocase
$name5 = "cll.dll" wide ascii nocase
$name6 = "Cleaner.exe" wide ascii
$export = "_Start@4" wide ascii
condition:
uint16(0) == 0x5A4D and
(any of ($name*) and $export)
}
rule MAL_HERMETIC_WIZARD {
meta:
desc = "HermeticWizard hunting rule"
author = "Hegel @ SentinelLabs"
version = "1.0"
last_modified = "03.01.2022"
reference = "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/"
strings:
$name1 = "Wizard.dll" wide ascii
$name2 = "romance.dll" wide ascii
$name3 = "exec_32.dll" wide ascii
$function1 = "DNSGetCacheDataTable" wide ascii
$function2 = "GetIpNetTable" wide ascii
$function3 = "WNetOpenEnumW" wide ascii
$function4 = "NetServerEnum" wide ascii
$function5 = "GetTcpTable" wide ascii
$function6 = "GetAdaptersAddresses" wide ascii
$function7 = "GetEnvironmentStrings" wide ascii
$ip_anchor1 = "192.168.255.255" wide ascii
condition:
uint16(0) == 0x5A4D and
(any of ($function*) and any of ($name*) and $ip_anchor1)
}
SENTINELONE STAR RULES
EventType = "Process Creation" AND TgtProcPublisher = "HERMETICA DIGITAL LTD" AND
( SrcProcSignedStatus = "signed" AND IndicatorPersistenceCount = "2" AND RegistryValue = "4" AND RegistryKeyPath = "MACHINE\SYSTEM\ControlSet001\Services\VSS\Start" ) AND SrcProcImagePath !~ "devsetup64.exe"
Ukraine
wiper
SHARE
JUAN ANDRÉS GUERRERO-SAADE
Juan Andrés is a Principal Threat Researcher at SentinelOne and an Adjunct
Professor of Strategic Studies at Johns Hopkins School of Advanced International
Studies (SAIS). Juan Andrés was Chronicle Security’s Research Tsar, founding
researcher of the Uppercase team. Prior to joining Chronicle, he was Principal
Security Researcher at Kaspersky’s GReAT team focusing on targeted attacks and
worked as Senior Cybersecurity and National Security Advisor to the Government
of Ecuador. His joint work on Moonlight Maze is now featured in the
International Spy Museum’s permanent exhibit in Washington, DC.
Prev
SANCTIONS BE DAMNED | FROM DRIDEX TO MACAW, THE EVOLUTION OF EVIL CORP
Next
ZEN AND THE ART OF SMM BUG HUNTING | FINDING, MITIGATING AND DETECTING UEFI
VULNERABILITIES
RELATED POSTS
HACKTIVISM AND STATE-SPONSORED KNOCK-OFFS | ATTRIBUTING DECEPTIVE HACK-AND-LEAK
OPERATIONS
January 27 2022
WADING THROUGH MUDDY WATERS | RECENT ACTIVITY OF AN IRANIAN STATE-SPONSORED
THREAT ACTOR
January 12 2022
EGOMANIAC | AN UNSCRUPULOUS TURKISH-NEXUS THREAT ACTOR
September 08 2021
SEARCH
Search ...
AMAZON POLLY
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thanks! Keep an eye out for new content!
RECENT POSTS
* Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
April 21, 2022
* Inside the Black Box | How We Fuzzed Microsoft Defender for IoT and Found
Multiple Vulnerabilities
April 13, 2022
* AcidRain | A Modem Wiper Rains Down on Europe
March 31, 2022
LABS CATEGORIES
* Security Research
* Crimeware
* Security & Intelligence
* Adversary
* Advanced Persistent Threat
SENTINELLABS
In the era of interconnectivity, when markets, geographies, and jurisdictions
merge in the melting pot of the digital domain, the perils of the threat
ecosystem become unparalleled. Crimeware families achieve an unparalleled level
of technical sophistication, APT groups are competing in fully-fledged cyber
warfare, while once decentralized and scattered threat actors are forming
adamant alliances of operating as elite corporate espionage teams.
LATEST TWEET
* Join SentinelOne Tom Hegel today At 09:00 AM Pacific Time for a
#UkraineRussianWar Cyber Threat Briefing… https://t.co/inDlXCK9Zb47 days ago
* New on #SentinelLabs! We have disclosed 10.0 CVSS vulnerabilities on
Microsoft’s Azure Defender for IoT allowing u… https://t.co/cEnYqccXrV28 days
ago
* RT @VentureBeat: Five critical vulnerabilities in #Microsoft Azure Defender
for #IoT could result in "full network compromise," researchers…28 days ago
* Join us right now on a live Threat Intel Webinar starting at this moment on
#UkraineRussianWar by @TomHegel… https://t.co/qViZm4g0i046 days ago
* Join SentinelOne Tom Hegel today At 09:00 AM Pacific Time for a
#UkraineRussianWar Cyber Threat Briefing… https://t.co/inDlXCK9Zb47 days ago
* New on #SentinelLabs! We have disclosed 10.0 CVSS vulnerabilities on
Microsoft’s Azure Defender for IoT allowing u… https://t.co/cEnYqccXrV28 days
ago
RECENT POSTS
* Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
April 21, 2022
* Inside the Black Box | How We Fuzzed Microsoft Defender for IoT and Found
Multiple Vulnerabilities
April 13, 2022
* AcidRain | A Modem Wiper Rains Down on Europe
March 31, 2022
SIGN UP
Get notified when we post new content.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.
Thanks! Keep an eye out for new content!
* Twitter
* LinkedIn
©2022 SentinelOne, All Rights Reserved.
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Always Active
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Always Active
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Always Active
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
We'd like to show you notifications for the latest news and updates.
AllowCancel