Security Alert HermeticWiper & CaddyWiper: Stormshield’s product response

HermeticWiper & CaddyWiper: which protections with Stormshield solutions ?

Ukraine is currently in the middle of a real cyber war. After several rounds of DDoS attacks on government websites and banks, Ukrainian government bodies (as a whole) are now in the line of fire of malicious attacks. And after DDoS, these cyberattacks include a devastating malware: HermeticWiper. The Stormshield Customer Security Lab team provides an update on a critical vulnerability in a complicated geopolitical situation.

UPDATE: this security alert has been update with CaddyWiper new malware analyse at the bottom of this paper.

 

Context of the attack

On February 23, Eset's research teams announced that they had discovered a new data erasure malware in a Twitter post. Dubbed HermeticWiper (a variant of KillDisk.NCV, now renamed Win32/HermeticWiper.a), it is reportedly currently used against various Ukrainian government bodies, such as the Ministry of Foreign Affairs, ministers' offices, and the Parliament (the Rada). The question of the official attribution of the attack is still under debate, although the current geopolitical situation and the presence of an APT group linked to the country seem to point to Russia.

This malware, visibly distributed by GPO and thus aiming at compromising the victim's computer system, hijacks a legitimate disk partitioning driver to corrupt system partitions, resulting in the loss of data on a machine (server or workstation). The objective of the attack is clear and unique: the destruction of data.

 

Technical details of the attack

To date two variants of this malware are known:

  • 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
  • 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

 

An in-depth analysis of the malware shows us that this wiper is signed by the company "Hermetica Digital Ltd" through the root authority Digicert. The certificate was revoked in the afternoon of 24 February 2022.

Figure 1: the certificate signing the malware is valid although revoked

The malware has not been reworked post-compilation to make it difficult to analyze. In this sense, it is not compacted (packaged) and the strings appear in clear text.

Another interesting element in this analysis is that an old version was compiled (according to the program's metadata) on December 28, 2021. A sign that the action is premeditated for a long time:

Figure 2: dates of creation of the binary according to the metadata it contains

In terms of operation, when the malware starts its execution, it draws from its embedded resources section to extract one of the following four drivers:

Figure 3: the four drivers embedded in the malware

These drivers correspond to Windows 7/8/10/11 and XP systems and are available in both 32-bit and 64-bit. It can be seen from the SZDD signature that they are compressed using the LZSS algorithm (an old compression format historically used by Microsoft since Windows 3.x, by utilities such as COMPRESS.EXE). This explains the dependency of the malware on LZ32.DLL.

Figure 4: decoding a driver

File extraction is then simple:

Driver SHA-256
XP 32 bits 2C7732DA3DCFC82F60F063F2EC9FA09F9D38D5CFBE80C850DED44DE43BDB666D
XP 64 bits 23EF301DDBA39BB00F0819D2061C9C14D17DC30F780A945920A51BC3BA0198A4
Vista+ 32 bits 8C614CF476F871274AA06153224E8F7354BF5E23E6853358591BF35A381FB75B
Vista+ 64 bits 96B77284744F8761C4F2558388E0AEE2140618B484FF53FA8B222B340D2A9C84

Figure 5: SHA-256 fingerprint of extracted drivers

 

These drivers are those found in the partition management software "EaseUS Partitionning" at least in version 9.2.1. They are signed and legitimate but the certificate is expired and the timestamp is not conform:

Figure 6: drivers signatures

The right driver to load is selected in order to correspond to the operating system of the host machine. Then, the malware opens a communication channel to the driver \\.\EPMNTDRV\ and the disk writing is done through this way. This driver is ideal, both for bypassing user-land security solutions and also for overwriting disk areas corresponding to volumes mounted and used by Windows.

During the analysis of the malware, it was found that the malware does not alter the MBR (thus retains the partition table). On the other hand, it alters the first sectors of FAT/FAT32/NTFS partitions of each disk. The consequence is that the system does not boot anymore due to partition corruption.

Figure 7: corrupted system not restarting

Here, the message displayed comes from the error handling of the MBR which remained intact:

Figure 8: MBR still intact and able to display a message in case of a boot partition location error

An examination of the first sectors of the partitions reveals the corruption:

Figure 9: on the left, the healthy FAT32 partition, and on the right, the corrupted FAT32 partition

Figure 10: on the left, the healthy NTFS partition, and on the right, the corrupted NTFS partition

During the analysis, we found that the first two sectors were overwritten for FAT32 partitions, while many more sectors are overwritten for NTFS partitions. NTFS specificity: the malware targets particular files so that data recovery becomes very difficult.

Figure 11: special NTFS files searched by the malware

Targeted systems

This malware attacks Windows XP, Vista, Seven, 10 and 11 systems, both 32-bit and 64-bit, regardless of the system language.

Other information

Numeric signatures

Both for the malware and for the drivers, the fingerprinting algorithm used is SHA-1. As a reminder, this 160-bit algorithm has been deprecated for several years now. However, due to compatibility with older software, it is still tolerated in some cases.

Administrator rights

This malware absolutely requires administrator rights in order to drop the driver and load it. This is not a problem since in the observed attack vector, the deployment of the malware was done through GPOs (thus with sufficiently high rights).

Execution timing

The malware performs its malicious actions very soon after starting up. Thus, as soon as its CPU activity drops to 0%, the system is already corrupted. Normal Windows life will inevitably lead to a problem in the next few seconds or minutes. Note that the malware does not terminate after corrupting a system, its process remains active but does nothing. Maybe it is waiting for connected removable disks to corrupt them in turn.

Reboot

The malware does not require an immediate reboot of the machine after partition corruption. On the other hand, the operating system may panic after the live corruption of the file system that makes it live. There are many immediate reasons for the panic, but what is certain is that when the Windows kernel panics, the result is a BSOD with a potential forced reboot depending on the settings.

Figure 12: a (French) Windows kernel corrupted by disk wiping

Disabling crash dumps

The malware reconfigures the system to not generate a crashdump after BSOD. It does this by writing the value 0 to this registry location:

Figure 13: reference to the kernel crash-dump disable register parameter

Divers

  • The VSS service is searched and stopped by the malware.
  • Some file display settings in the file explorer are altered: ShowCompColor (used to identify compressed files via blue color) and ShowInfoTip (used to display info bubbles)

Figure 14: reference to File Explorer Registry Settings

 

Means of protection provided by Stormshield

Stormshield Network Security

Breach Fighter, a SaaS sandboxing solution that complements SNS, detects all Hermetic Wiper malware.

When a file passes through the stream, SNS will perform a hash of the file and check its safety with Breach Fighter (in case of an unknown file, it will be sent to our cloud detonation environment). As a result, it will be blocked immediately.

For this detection to be effective, you need to:

  • have the Premium Security Pack license and the Breach Fighter option;
  • activate sandboxing on all file transport streams (SMTP, HTTP, FTP).

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

Stormshield Endpoint Security

SES v7.2

The eraser malware requests the "SeLoadDriverPrivilege" to start the maliciously used EaseUS driver. This behavior is detected and blocked by the SES (v7.2) solution with the elevation of privilege protection set to "High" or "Superior". Without this driver, the malware is no longer able to erase data on the computer.

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

SES Evolution

A specific rule set has been made available to users free of charge to counter this malware.

Specifically, the processes whose signature refers to the certificate stolen from "Hermetica Digital LTD" are blocked. And even if a variant uses another certificate (or no certificate at all), the creation of "driver" files is controlled and authorized only to Microsoft programs.

Please note that this configuration strictly restricts the deposit of drivers for non-Microsoft programs, which can lead to many false positives if the administrator is not careful. This rule is disabled in the provided ruleset. Here is the log of the blocking rule:

Figure 15: rule block illustration

Confidence index of the protection offered by Stormshield

Confidence index of no false positives

 


Addendum: new strain CaddyWiper malware analyse

On March 14, Eset's research teams announced in a Twitter post that they had observed a new data erasure malware targeting Ukrainian infrastructures. This new strain, named CaddyWiper, is identified for the moment on 4 files and has the same objective as its predecessor: to make totally inoperable the workstations starting the strain.

Even if the ultimate goal is the same, the technique to achieve it is completely different: the CaddyWiper strain no longer uses the signed driver of the EaseUS tool nor the Hermetika ltd certificate. In order to purge the computer, the malware first overwrites the data in all user directories on all disks. In case these files are owned by another user, it tries to appropriate them via the SeTakeOwnershipPrivilege. Then it accesses the physical disks via "\\.\PHYSICALDRIVEX" and erases the MBR/GPT type information and alters the partition tables of each disk to make them inoperative. The next time the computer is restarted or after a BSOD, the computer will not boot anymore.

Out of these four files, only one is signed by an invalid Chinese certificate because it has expired:

Figure 16: expire certificate signature of the malware

Stormshield product response is efficient immediately.

Stormshield Network Security

Breach Fighter, a SaaS sandboxing solution that complements the SNS firewall, detects all CaddyWiper malware.

Figure 17: CaddyWiper breachfighter analyse result

Stormshield Endpoint Security

Whether it is the 7.2 version or the Evolution version, both products block the first action of malware, in fact the malware directly triggers the "HPP" or "Execution Flow Hijack" protection of the products.

Figure 18: SES Evolution block log of CaddyWiper

 

IOCs

Sha256:

  • a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
  • b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7
  • ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72
  • 1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176

Breach Fighter Portal:

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Do you have a more technical question on the subject? Need clarification on Stormshield protections? The Technical Support teams are at your disposal to provide you with the best possible support. Contact them through the incident manager located in the private MyStormshield area. To access it, select the "Technical support / Report an incident / Track an incident" menu.

About the author

Cyril Cléaud
Cybersecurity Engineer, Stormshield

As a curious child, Cyril tried to understand how to use the Motorola 68000 microprocessor directly in machine code. Later, passionate about computer security and "machine-like" developments, he still loves technical challenges. Especially when it comes to manipulating a disassembler or dealing with the latest cyber threats. After a 12-year career in a large French company, he now devotes himself to his favourite activities at Stormshield to propose answers to these threats.