A new malware called Data Wiper was discovered to have been deployed against an unnamed Ukrainian government system, just a few days after cyberattacks that were destructively directed at multiple Ukrainian entities. This occurred before the Russian military invasion.
Slovak cybersecurity firm ESET dubbed the new malware “IsaacWiper,” which it said was detected on February 24 in an organization that was not affected by HermeticWiper (aka FoxBlade), another data wiping malware that targeted several organizations on February 23 as part of a sabotage operation aimed at rendering the machines unusable.
Another analysis of HermeticWiper attack, infected at most five Ukrainian organisations, has revealed that a worm component that spreads the malware throughout the compromised network, and that a ransomware program that acts as a “distraction” from wiper attacks have been discovered, corroborating an earlier report by Symantec.
“These destructive attacks leveraged at least three components: HermeticWiper for wiping the data, HermeticWizard for spreading on the local network, and HermeticRansom acting as a decoy ransomware,” the company said.
In a separate analysis of the new Golang-based ransomware, Russian cybersecurity company Kaspersky, which codenamed the malware “Elections GoRansom,” characterized it as a last-minute operation, adding it was “likely used as a smokescreen for the HermeticWiper attack due to its non-sophisticated style and poor implementation.”
As an anti-forensic measure, HermeticWiper is also designed to hinder analysis by erasing itself from the disk by overwriting its own file with random bytes.
ESET said it did not find “any tangible connection” to attribute these attacks to a known threat actor, with the malware artifacts implying that the intrusions had been planned for several months, not to mention the fact that the targeted entities suffered compromises well in advance to the wiper’s deployment.
“This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the code-signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers,” said Jean-Ian Boutin, ESET head of threat research.
Also unknown are the initial access vectors used to deploy both the wipers, although it’s suspected that the attackers leveraged tools like Impacket and RemCom, a remote access software, for lateral movement and malware distribution.
Furthermore IsaacWiper has no code-level overlaps or is significantly less sophisticated than HermeticWiper, although it sets out first to list all the physical drives and logical drives, before proceeding with its file wiping operations.
“On February 25, 2022, attackers dropped a new version of IsaacWiper with debug logs,” the researchers said. “This may indicate that the attackers were unable to wipe some of the targeted machines and added log messages to understand what was happening. “