ProSec GmbH

+49 261 45093090

  • About us
  • Services
    • Detection services
      • Classic penetration testing
      • Pentest as a service
      • Web application pentest
      • Vulnerability analysis
      • Red teaming
    • Solution services
      • IT security consulting
      • Data protection
        • GDPR
    • Education services
      • User awareness
      • Trainings
        • Junior penetration tester
        • Penetration tester web
        • Penetration tester network
  • Wiki
  • Jobs
  • Contact

HermeticWiper Malware

PSN_KB_malware

Introduction to the HermeticWiper malware

Attached is a security advisory regarding new findings on the HermeticWiper malware used, which is currently being used increasingly in attacks against Ukrainian companies and institutions.

This is malicious code that was previously unknown in this form and may not yet be recognized across the board by common virus protection solutions. Since the targets of these attacks cannot be reliably isolated and the situation can change dramatically within a very short time, we strongly recommend protecting yourself against attacks with the malware in question.

General information

  • Malware known names: HermeticWiper, DriveSlayer, Kill-Disk.NCV, NEARMISS,
  • The malware is signed with a valid certificate:
    • Certificate Serial Number: 0C 48 73 28 73 AC 8C CE BA F8 F0 E1 E8 32 9C EC
    • SHA256: 1ae7556dfacd47d9efbe79be974661a5a6d6d923
  • The malware is approx. 114 KB in size
  • In order to gain extended rights, the malware uses a known Windows driver C:\Windows\System32\empntdrv.sys”.
  • The original epmntdrv.sys file belongs to the EaseUS Partition Master software from EaseUS
  • The registry subkeys SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled is set to the value 0
    • Result: Crash dumps are disabled
    • An indication that the malware is already running
  • A sudden increase in is possible the utilization of the RAM, e.g. by the svchost.exe process

Recommendation for action

Preventive measures are particularly important because

  1. the malware only needs a small window of time to cause significant damage to a system
  2. the malware is not yet recognized by all security systems (e.g. EPP, IDS/IPS).

Updates: The installation of existing security updates for operating systems and software is generally recommended in order to keep the attack surface for an initial compromise, which can subsequently be used to spread the malware, as small as possible.

We recommend providing antivirus solutions, endpoint protection systems, and other protection systems that can detect signature-based threats with the attached IoCs and detection rules.

Hash values of the malware

The following hash values ​​of the malware are known:

61b25d11392172e587d8da3045812a66c3385451

HermeticWiper SHA1
Win32 EXE 912342f1c840a42f6b74132f8a7c4ffe7d40fb77
Win32 EXE 61b25d11392172e587d8da3045812a66c3385451

The hash values of the deployed drivers (ms-compressed) are shown in the following listing. Since the EaseUS drivers are legitimate, they might generate false positives. However, they can still serve to provide an indication of a possible compromise.

 

ms-compressed SHA1
RCDATA_DRV_X64 a952e288a1ead66490b3275a807f52e5
RCDATA_DRV_X86 231b3385ac17e41c5bb1b1fcb59599c4
RCDATA_DRV_XP_X64 095a1678021b034903c85dd5acb447ad
RCDATA_DRV_XP_X86 eb845b7a16ed82bd248e395d9852f467
Bild des stellvertretenden Geschäftsführers Immanuel Bär

Is there a security incident?

Trust our certified IT forensic experts in the event of attacks.

To contact

YARA-Rule

Yara rules can only detect, they do not prevent execution. However, detection makes it possible to react quickly.

The following Yara rule is used to search for what has already been deployed

NEARMISS on their own systems:

rule MAL_HERMETIC_WIPER { meta: desc = "HermeticWiper - broad hunting rule" author = "Friends @ SentinelLabs" version = "1.0" last_modified = "02.23.2022" hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591" strings: $string1 = "DRV_XP_X64" wide ascii nocase $string2 = "EPMNTDRV\\%u" wide ascii nocase $string3 = "PhysicalDrive%u" wide ascii nocase $cert1 = "Hermetica Digital Ltd" wide ascii nocase condition: uint16(0) == 0x5A4D and all of them }

Windows Defender

Windows Defender is already able to detect the malware if it has current signatures. Detections of the malware used are recognized by Windows Defender under the following names.

DoS:Win32/ FoxBlade.A!dha

DoS:Win32/ FoxBlade.A!dha

TrojanDownloader:Win32/ PandoraBlade.A!dha

Trojan:Win64/ PandoraBlade.B!dha

Zuletzt aktualisiert am March 11, 2022

OUR LOCATIONS

  • Headquarters:
  • ProSec GmbH
  • Robert-Koch-Straße 1-9,
    D-56751 Polch, Germany

  • Berlin office:
  • ProSec GmbH
  • Friedrichstr. 123,
    D-10117 Berlin, Germany

 

  • Munich office:
  • ProSec GmbH
  • Franz-Joseph-Str. 11,
    D-80801 München, Germany

TOP-SERVICES

  • Penetration testing

  • Vulnerability analysis

  • Trainings

  • IT security consulting

  • Social engineering

All rights reserved. © 2022 ProSec GmbH | Imprint | Privacy policy | Sitemap