The campaign has several components leveraged by threat actors, all unrelated to each other as of now. These are mostly wipers and spreading trojans, with attribution to no known threat actor yet. Researchers have listed the IOCs and MITRE attacking techniques of all these to identify and defend.
Wiper Malware Against Ukraine Orgs
Security agencies and experts have long been warning that cyberattacks against Ukraine may grow in the upcoming days, as the nation indulges in war with Russia. And it’s happening, as we see a new campaign noted by the ESET researchers in wild.
— ESET research (@ESETresearch) February 23, 2022 This is said to be a destructive attack against the computers in Ukraine, which leverages the following components;
HermeticWiper: a wiper that corrupts the data, and makes the system inoperable ultimately. This wiper malware is said to be capable of wiping itself off the victim system after its job, so to prevent post-incident analysis by forensic investigators. HermeticWizard: A malware spreader that currently spreads HermeticWiper across a victim’s local network through WMI and SMB. HermeticRansom: Written in Go, this is a ransomware note that just sits in victim systems.
Though having common names, all these three components aren’t related to each other as of now. Researchers said they haven’t found any link or code string matches between them. Also, the initial attracting vectors too aren’t known yet, even though the HermeticWiper and HermeticRansom have few clues of getting in through Group Policy. Besides these, there’s yet another component that was discovered on February 25th in some of the Ukranian systems, known as the IssacWiper. Though having an unclear initial vector, it’s said to use tools like Impacket for moving laterally. Moreover, it’s said to come with RemCom, a remote access tool along with the IsaacWiper. While the systems where IsaacWiper was observed weren’t affected, the HermeticWiper was spotted in hundreds of systems in at least five Ukrainian organizations. Researchers are still investigating these components for more details, as they haven’t found reliable links to any known threat actor as of now. But, they said the attackers have started this operation well in advance, as some clues like timestamps of certificates used by these components were registered last year.