HermeticWiper & resurgence of targeted attacks on Ukraine

Summary

Since Jan 2022, ThreatLabz has observed a resurgence in targeted attack activity against Ukraine. We identified two attack-chains in the timeframe - Jan to Feb 2022, which we attribute to the same threat actor with a moderate confidence level. It is important to note that we are not attributing the attacks to any nation-state backed threat actors at this point, since we don't have full visibility into the final payloads and the motives of the attack. The C2 infrastructure re-use points to Gamaredon APT threat actor, however more visibility is needed for proper attribution.

The first attack-chain was blogged by the CERT team of Ukraine on 1st Feb 2022 here . It involved spear phishing emails sent to the “State Administration of Seaports of Ukraine”. The samples corresponding to the next-stage document template and the VBScript payload were not available in public domain. We were able to identify the document template and VBScript payload, and we aim to share the technical analysis in this blog.

On 11th Feb 2022, we identified a sample uploaded to VirusTotal from Ukraine which resulted in our discovery of a previously undocumented attack-chain. We describe the technical details of this second attack-chain in the blog. By pivoting on the metadata of the files, we were able to discover 7 unique samples and the origins of campaign tracing back to Nov 2020.

On 23rd Feb 2022, there were reports of a new sophisticated wiper malware hitting several organizations in the Ukraine with an objective of destroying data and causing business disruption. Threatlabz team analyzed the malware payload involved and uncovered several new tactics used in these attacks. A ransomware decoy known as PartyTicket was also observed being deployed during these attacks.

In this blog, we will look at the technical details of these recent attacks targeting commercial and public entities in Ukraine.

 

1. HermeticWiper DoS Attack - Technical Analysis

• HermeticWiper is a sophisticated malware family that is designed to destroy data and render a system inoperable
• The wiper is multi-threaded to maximize speed and utilizes a kernel driver for low-level disk access
• These driver files appear to be part an outdated version of the EaseUS Partition Master application developed by CHENGDU YIWO Tech Development

The HermeticWiper malware sample with SHA256 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 was compiled at 2022-02-23 09:48:53 UTC and was digitally signed with a valid certificate that was issued to Hermetica Digital Ltd. as shown in Figure 1.

Figure 1: HermeticWiper’s digital signature

The malware supports two command-line arguments that control the maximum duration to spend destroying data before forcing the system to reboot. After parsing the command-line, HermeticWiper calls OpenProcessToken() with the access mask TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY. If the wiper does not have sufficient privileges, it will terminate without performing any malicious actions. Otherwise HermeticWiper will attempt to grant itself the privileges SeShutdownPrivilege and SeBackupPrivilege and install a Windows kernel driver. The driver is embedded in the malware’s resource section, which contains the names and SHA256 hashes shown in Table 1. These files are digitally signed drivers that are used to interact with disks.

 

Table 1. Driver files embedded in HermeticWiper

The specific driver that is extracted depends on whether the Windows operating system version is 32-bit or 64-bit and Windows XP or newer. The functions that are used to determine the Windows operating system version are VerSetConditionMask and VerifyVersionInfoW. These functions are rarely seen in comparison to the standard GetVersion functions to identify the Windows version.

After these resources are extracted from the binary, the Windows LZ extraction library functions are used to decompress them. The Windows command-line utility expand.exe can also be used to manually decompress the drivers as shown in Figure 2.

Figure 2: Manual decompression of the HermeticWiper drivers using the Windows expand utility

The certificate for these signed drivers is registered to CHENGDU YIWO Tech Development Co., Ltd., but expired on September 11, 2014 as shown in Figure 3.

Figure 3: Expired certificate used to sign the HermeticWiper drivers

These driver files appear to be part of the EaseUS Partition Master application developed by CHENGDU YIWO Tech Development. 

The driver file is written to the Windows drivers directory with a filename that includes two alphabetic characters that are pseudorandomly chosen using the current process ID concatenated with the string "dr" and appended with a .sys extension (e.g., lxdr.sys). Hermetic Wiper will then elevate its privileges to SeLoadDriverPrivilege and load the driver and start it as a service. The malware disables the vss (Volume Shadow Copy) service used for backing up and restoring data and sets the CrashDumpEnabled registry value to zero in the registry key HKLM\SYSTEM\CurrentControlSet\Control\CrashControl to disable crash dumps. This ensures that if the malware crashes, Windows will not produce a crash dump file that can be used to identify the cause. The registry values ShowCompColor and ShowInfoTip are also set to zero (i.e. disabled) under the registry key HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced to suppress pop-ups and other indicators of data destruction.

The driver registers itself as a device named EPMNTDRV to expose itself to the userland component of HermeticWiper. The malware enumerates physical disks 0-100 and destroys the Master Boot Record (MBR) on every physical disk by overwriting the first 512 bytes with random data. The malware then parses the file system to determine whether the partition is NTFS or FAT. If the file system is the former, it will overwrite the Master File Table (MFT) that stores information about every file on the system. Hermetic also targets files that are located in the directories:

• C:\System Volume Information
• C:\Windows\SYSVOL
• C:\Documents and Settings
• C:\Windows\System32\winevt\Logs

After the data destruction occurs, a forced reboot will occur. As a result, the boot loader will not be able to load the operating system as shown in Figure 4.

Figure 4. Result after HermeticWiper erases the Master Boot Record and forces a system reboot

 

 

2. Targeted Attacks

Timeframe - Nov 2021 onwards

During our analysis, we found a C2 infrastructure overlap between the two targeted attack chains seen below in Figure 4 and 5.

 

Figure 4: Targeted attack chain #1

 

Figure 5: Targeted attack chain #2

Technical analysis

Attack chain #1

The attack chain #1 infection starts with an email which has a malicious RAR archive attachment. The victim downloads and extracts the RAR archive contents which contains a malicious document file that is themed using the ongoing geo-political conflict between Russia and Ukraine.

[+] Stage 1: Document

The document on execution simply downloads a macro-based template from the specified remote location. Figure 6 below shows the template reference present inside one of the documents.

Figure 6: Relationship referring the macro-based remote template

 

[+] Stage 2: Macro template (714f8341bd1c4bc1fc38a5407c430a1a)

The macro code inside the template is obfuscated by adding a lot of junk code. This not only inflates the size of macro code but also hinders the code analysis. The main operation it performs is to drop and execute a VBScript.

The VBScript is Base64-encoded inside the VBA macro as shown in Figure X below.

Figure 7: Base64-encoded VBScript inside the VBA macro

[+] Stage 3: VBScript

As per OSINT, this stage-3 VBScript which is dropped by the stage-2 macro is called GammaLoad. The VBScript code is obfuscated similar to the macro code. On execution it performs the following operations:

1. Collects user and system information for exfiltration

2. Grabs the IP address associated with the configured C2 domain using WMI

WMI query format:

SELECT * FROM Win32_PingStatus WHERE Address={configured_c2_domain}

3. Sends a network request to download the next stage payload using the IP address obtained from step #2 and also exfiltrate the information collected from step #1 using the UserAgent field

UserAgent Format:

{hardcoded_useragent_string}::%USERPROFILE%_%SYSTEMDRIVE%.SerialNumber::\.{static_string}\.

4. Drops and executes the downloaded payload 

Note: At the time of analysis we didn’t get this next stage payload but based on past analysis the threat actor is known to drop some remote desktop application like UltraVNC

Attack Chain #2

We identified another attack-chain used by the same threat actor which is not documented anywhere in the public domain, to the best of our knowledge. Based on our research, this campaign has been active since as early as November 2020 and only 7 unique samples have been identified till date related to this campaign. The most recent instance was observed on 11th Feb 2022 and based on the filename, we believe that it was distributed on 8th Feb 2022 to the targeted victim(s).

This low-volume campaign involves RAR archive files distributed through spear phishing emails. These RAR archive files contain a malicious Windows shortcut file (LNK) which downloads the MSI payload from the attacker-controlled server and executes it on the endpoint using MSIEXEC. 

This results in the packaged NSIS binary to be dropped on the system and it starts the infection-chain.

Components of the NSIS binary will be unpacked in the directory: %temp%\<random_name>.tmp\ during the course of its execution.

All the extracted components are shown below.

 

Figure 8: components of the NSIS binary

It loads the DLL from the above directory.

MD5 hash of the DLL: 74ce360565fa23d9730fe0c5227c22e0

Filename of the DLL: ypagjgfyy.dll

The NSIS script which controls the execution of the NSIS installer can be used to analyze the activity. The relevant code sections from the script are included in the Appendix section.

The steps below summarize the activity:

1. Call the export function: "oqiuqqaxaicm" in the DLL file - ypagjgfyy.dll and pass it two parameters. The first one is the encrypted string and the second one is the decryption key.
2. The decrypted string is a URL: hxxp://kfctm[.]online/0102adqeczoL2.txt
3. Call the download_quiet function in nsisdl (downloader component of NSIS installer) to fetch the contents of the URL which was decrypted in step #2.
4. The response is saved in the file - $PLUGINSDIR\readme.txt
5. Call the export function: “cfyhayyyu” in the DLL file - ypagjgfyy.dll and pass it three parameters. The first parameter is the file created in step #4 and the other 2 parameters are used to decrypt the contents of the readme.txt file.
6. At this point, the code can take 2 paths based on whether the readme.txt file was successfully created or not in step #4. If step #4 was successful, then the decrypted contents of the readme.txt file will be used as a decryption key to decrypt other important strings and continue the malicious activities.

At the time of our analysis, since the URL in step #2 did not respond so the readme.txt file was not created. As a result, the code execution continued to call the export function: “euuxijbaha” in the DLL - ypagjgfyy.dll to decrypt the contents of the DAT file - gofygsg.dat packaged inside the NSIS installer. The resulting decrypted content is a DOCX file which is displayed to the victim with MS Office Word application.

 

Infrastructure overlap and re-use

During our analysis of the targeted attacks, we found that one of the C2 domain - "download.logins[.]online" which was used to host the MSI payload as part of attack-chain #2 was previously attributed to the Gamaredon APT threat actor by Anomali labs. At that time, it was used to host a macro-based template document which overlaps with the attack-chain #1, as we described in this blog.

 

Zscaler coverage

We have ensured coverage for the payloads seen in these attacks via advanced threat signatures as well as advanced cloud sandbox.

 

Advanced Threat Protection

Win32.Trojan.KillDisk

Win32.Trojan.HermeticWiper

 

Advanced Cloud Sandbox

Win32.Trojan.HermeticWiper

 

Advanced Cloud Sandbox Report

Figure 9 below shows the sandbox detection report for Wiper malware.

Figure 9: Zscaler Cloud Sandbox Report - HermeticWiper 

Figure 10 below shows the document template (from attack chain #1) detection in the Zscaler sandbox.

Figure 10: Zscaler Cloud Sandbox Report - Targeted Attack document template
 

Indicators of compromise

# Attack Chain 1

[+] Hashes

 

 

[+] C2 Domains

coagula[.]online

deer.dentist.coagula[.]online

declaration.deed.coagula[.]online

surname192.temp.swtest[.]ru

 

[+] Download URLs

 

 

[+] Associated IPs

94.158.244[.]27

 

# Attack Chain 2

[+] Hashes

 

 

[+] C2 domains

kfctm[.]online

my.cloud-file[.]online

my.mondeychamp[.]xyz

files-download.infousa[.]xyz

download.logins[.]online

 

[+] Download URLs

 

Appendix I

NSI script