ESET researchers have detailed a new cyberattack campaign targeted at Ukraine organizations amidst the war itโs waging against Russia.
The campaign has several components leveraged by threat actors, all unrelated to each other as of now. These are mostly wipers and spreading trojans, with attribution to no known threat actor yet. Researchers have listed the IOCs and MITRE attacking techniques of all these to identify and defend.
Wiper Malware Against Ukraine Orgs
Security agencies and experts have long been warning that cyberattacks against Ukraine may grow in the upcoming days, as the nation indulges in war with Russia. And itโs happening, as we see a new campaign noted by the ESET researchers in wild.
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n
— ESET research (@ESETresearch) February 23, 2022
This is said to be a destructive attack against the computers in Ukraine, which leverages the following components;
- HermeticWiper: a wiper that corrupts the data, and makes the system inoperable ultimately. This wiper malware is said to be capable of wiping itself off the victim system after its job, so to prevent post-incident analysis by forensic investigators.
- HermeticWizard: A malware spreader that currently spreads HermeticWiper across a victimโs local network through WMI and SMB.
- HermeticRansom: Written in Go, this is a ransomware note that just sits in victim systems.
Though having common names, all these three components arenโt related to each other as of now. Researchers said they havenโt found any link or code string matches between them.
Also, the initial attracting vectors too arenโt known yet, even though the HermeticWiper and HermeticRansom have few clues of getting in through Group Policy.
Besides these, thereโs yet another component that was discovered on February 25th in some of the Ukranian systems, known as the IssacWiper. Though having an unclear initial vector, itโs said to use tools like Impacket for moving laterally.
Moreover, itโs said to come with RemCom, a remote access tool along with the IsaacWiper. While the systems where IsaacWiper was observed werenโt affected, the HermeticWiper was spotted in hundreds of systems in at least five Ukrainian organizations.
Researchers are still investigating these components for more details, as they havenโt found reliable links to any known threat actor as of now. But, they said the attackers have started this operation well in advance, as some clues like timestamps of certificates used by these components were registered last year.
