Introduction to the HermeticWiper malware
Attached is a security advisory regarding new findings on the HermeticWiper malware used, which is currently being used increasingly in attacks against Ukrainian companies and institutions.
This is malicious code that was previously unknown in this form and may not yet be recognized across the board by common virus protection solutions. Since the targets of these attacks cannot be reliably isolated and the situation can change dramatically within a very short time, we strongly recommend protecting yourself against attacks with the malware in question.
General information
- Malware known names: HermeticWiper, DriveSlayer, Kill-Disk.NCV, NEARMISS,
- The malware is signed with a valid certificate:
- Certificate Serial Number: 0C 48 73 28 73 AC 8C CE BA F8 F0 E1 E8 32 9C EC
- SHA256: 1ae7556dfacd47d9efbe79be974661a5a6d6d923
- The malware is approx. 114 KB in size
- In order to gain extended rights, the malware uses a known Windows driver C:\Windows\System32\empntdrv.sys”.
- The original epmntdrv.sys file belongs to the EaseUS Partition Master software from EaseUS
- The registry subkeys SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled is set to the value 0
- Result: Crash dumps are disabled
- An indication that the malware is already running
- A sudden increase in is possible the utilization of the RAM, e.g. by the svchost.exe process
Recommendation for action
Preventive measures are particularly important because
- the malware only needs a small window of time to cause significant damage to a system
- the malware is not yet recognized by all security systems (e.g. EPP, IDS/IPS).
Updates: The installation of existing security updates for operating systems and software is generally recommended in order to keep the attack surface for an initial compromise, which can subsequently be used to spread the malware, as small as possible.
We recommend providing antivirus solutions, endpoint protection systems, and other protection systems that can detect signature-based threats with the attached IoCs and detection rules.
Hash values of the malware
The following hash values of the malware are known:
61b25d11392172e587d8da3045812a66c3385451
| HermeticWiper | SHA1 |
| Win32 EXE | 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 |
| Win32 EXE | 61b25d11392172e587d8da3045812a66c3385451 |
The hash values of the deployed drivers (ms-compressed) are shown in the following listing. Since the EaseUS drivers are legitimate, they might generate false positives. However, they can still serve to provide an indication of a possible compromise.
| ms-compressed | SHA1 |
| RCDATA_DRV_X64 | a952e288a1ead66490b3275a807f52e5 |
| RCDATA_DRV_X86 | 231b3385ac17e41c5bb1b1fcb59599c4 |
| RCDATA_DRV_XP_X64 | 095a1678021b034903c85dd5acb447ad |
| RCDATA_DRV_XP_X86 | eb845b7a16ed82bd248e395d9852f467 |
YARA-Rule
Yara rules can only detect, they do not prevent execution. However, detection makes it possible to react quickly.
The following Yara rule is used to search for what has already been deployed
NEARMISS on their own systems:
Windows Defender
Windows Defender is already able to detect the malware if it has current signatures. Detections of the malware used are recognized by Windows Defender under the following names.
DoS:Win32/ FoxBlade.A!dha
DoS:Win32/ FoxBlade.A!dha
TrojanDownloader:Win32/ PandoraBlade.A!dha
Trojan:Win64/ PandoraBlade.B!dha