Threat Signal Report

New Wiper Malware Discovered Targeting Ukrainian Interests

description-logo Description

Update March 1: Added new detections for publicly available IsaacWiper and HermeticWiper samples from ESET blog .

UPDATE February 27: Updated for EDR coverage.

UPDATE February 25: Added reference and protection for ransomware that was used in the attack.


FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. Various estimates from both outfits reveal that the malware wiper has been installed on several hundreds of machines within the Ukraine.

Cursory analysis reveals that wiper malware contains a valid signed certificate that belongs to an entity called "Hermetica Digital" based in Cyprus. This is a breaking news event. More information will be added when relevant updates are available.

It has been reported that ransomware was deployed at the same time as the wiper in some cases.

For further reference about Ukrainian wiper attacks please reference our Threat Signal from January. Also, please refer to our most recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate.


Is this the Work of Nobelium/APT29?

At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity.


Are there Other Samples Observed Using the Same Certificate?

No. Cursory analysis at this time highlights that the Hermetica Digital certificate used by this malware sample is the only one that we are aware of at this time.


Was the Certificate Stolen?

Unknown at this time. As this is a breaking news event, information is sparse.


Why is the Malware Signed?

Malware is often signed by threat actors as a pretence to evade AV or any other security software. Signed malware allows for threat actors to evade and effectively bypass detection and guaranteeing a higher success rate.


What is the Status of Coverage?

FortiGuard Labs has AV coverage in place for publicly available Wiper samples as:


W32/KillDisk.NCV!tr


FortiGuard Labs has the following AV coverage in place for the ransomware used in the attack:


W32/Filecoder.BK!tr

Trojan.Win32.KILLDISK.YACBX

W64/Filecoder.E278!tr.ransom

W32/KillDisk.NCV!tr


FortiEDR detects and blocks behavior associated with this wiper activity. For more information, see the Appendix section for a link to "Technical Tip : How FortiEDR protects against HermeticWiper".

Appendix

Tweet by ESET

Technical Tip : How FortiEDR protects against HermeticWiper (Fortinet)

Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine (US-CERT)

IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.		 Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.		 Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.		 Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.		 Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.