HermeticWiper: What do we need to know about this new malware?

As the geopolitical tensions increase between Russia and Ukraine day by day, new malware is targeted against the Ukrainian infrastructure and its government departments. This was first deployed by two research agencies Symantec and ESET on 23rd February and named the new strain as HermeticWiper which is analogous to Whispergate and NotPetya. But the primitive know sample of the malware dates back to 2021. The escalating situation between the two countries has led to cyberwarfare, including a new variant of destructive malware that renders infected systems inoperable.

The malware features a legalized code-signing certificate issued in April 2021 to Hermetica Digital Ltd. In consequence, the name HermeticWiper was coined by SentinelOne principal threat researcher Juan Andrés Guerrero-Saade. This company doesn’t even have a website, however, so it may have been found just to induce that one certificate, which grants the malware access to parts of Windows that are out of reach for unsigned software.

HermeticWiper could pose a great threat not only to the organizations but also to other countries’ safety. Here’s what it could do to your computer. When it is deployed to the targeted device, it abuses legitimate drivers from the EaseUS Partition Master software to corrupt data, with particular emphasis on the Master Boot Record says a researcher at ESET. The wiper damages Master Boot Record (MBR) and bricks the infected system. Later, HermeticWiper drops a ransom note. The Ransome note should never be trusted because it is impossible to recover data after the MBR is damaged. Recuperating from such an attack requires a new operating system.

Guerrero-Saade said in a SentinelOne analysis that the malware checks for all physical drives connected to a system, corrupts the Master Boot Record, proceeds to enumerate the partitions for all possible drives, then corrupts those partitions employing a “bit fiddler” function. Wiper attacks predominantly have 3 techniques: targeting the files, system and data backups, and lastly the system boot of an operating system. Among these, file destruction takes a longer time to accomplish. To avoid misspend of time, majority wipers don’t overwrite disk drives completely and instead write minuscule amounts of data randomly at specific intervals to destroy the files.

The wiper holds high privileges on the compromised host to make the host unbootable by overriding the boot records and configurations, erasing device configurations, and deleting shadow copies (backups). It turns out that the wiper is configured to NOT encrypt domain controllers. This permits the domain to keep running, enabling the wiper software to utilize valid credentials to authenticate to servers and encrypt those. This accentuates the critical role of identity in these attacks.

So what’s the way out? It’s okay to update your profile picture on Instagram but make sure to update your malware protection first. Having a backup partner could be totally fine but taking a robust backup of your data can recover your data even after a major wiper attack. If you’re checking the features of your device before buying it then why not check the security features your Operating System is offering you? Your safety lies in your hands.