SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hermeticwiper (Back to overview)

HermeticWiper

aka: DriveSlayer, FoxBlade, KillDisk.NCV, NEARMISS

According to SentinelLabs, HermeticWiper is a custom-written application with very few standard functions. It abuses a signed driver called "empntdrv.sys" which is associated with the legitimate Software "EaseUS Partition Master Software" to enumerate the MBR and all partitions of all Physical Drives connected to the victims Windows Device and overwrite the first 512 Bytes of every MBR and Partition it can find, rendering them useless.
This malware is associated to the malware attacks against Ukraine during Russians Invasion in February 2022.

References
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-15MicrosoftMicrosoft Threat Intelligence
@techreport{intelligence:20230315:year:01e29b1, author = {Microsoft Threat Intelligence}, title = {{A year of Russian hybrid warfare in Ukraine}}, date = {2023-03-15}, institution = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf}, language = {English}, urldate = {2023-04-25} } A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-24Twitter (@Sebdraven)Sébastien Larinier
@online{larinier:20230224:ioctl:6389112, author = {Sébastien Larinier}, title = {{Tweet on IOCTL manipulation in TDL4 and HermeticWiper}}, date = {2023-02-24}, organization = {Twitter (@Sebdraven)}, url = {https://twitter.com/Sebdraven/status/1496878431719473155}, language = {English}, urldate = {2023-05-25} } Tweet on IOCTL manipulation in TDL4 and HermeticWiper
Alureon HermeticWiper
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
@techreport{group:20230215:fog:0d99aaa, author = {Google Threat Analysis Group and Mandiant}, title = {{Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape}}, date = {2023-02-15}, institution = {Google}, url = {https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf}, language = {English}, urldate = {2023-03-13} } Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-12-03MicrosoftCliff Watts
@online{watts:20221203:preparing:139621a, author = {Cliff Watts}, title = {{Preparing for a Russian cyber offensive against Ukraine this winter}}, date = {2022-12-03}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/}, language = {English}, urldate = {2022-12-05} } Preparing for a Russian cyber offensive against Ukraine this winter
CaddyWiper HermeticWiper Prestige
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
@online{adamov:20221024:russian:97d3e2a, author = {Alexander Adamov}, title = {{Russian wipers in the cyberwar against Ukraine}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=mrTdSdMMgnk}, language = {English}, urldate = {2023-03-20} } Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:a12950c, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war}, language = {English}, urldate = {2022-08-22} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-18TrustwavePawel Knapczyk
@online{knapczyk:20220818:overview:bf3eca2, author = {Pawel Knapczyk}, title = {{Overview of the Cyber Weapons Used in the Ukraine - Russia War}}, date = {2022-08-18}, organization = {Trustwave}, url = {https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/}, language = {English}, urldate = {2022-08-28} } Overview of the Cyber Weapons Used in the Ukraine - Russia War
AcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper INDUSTROYER2 InvisiMole IsaacWiper PartyTicket
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-06-06TrellixTrelix
@online{trelix:20220606:growling:14f9f75, author = {Trelix}, title = {{Growling Bears Make Thunderous Noise}}, date = {2022-06-06}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html}, language = {English}, urldate = {2022-06-08} } Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate
2022-06-02EclypsiumEclypsium
@online{eclypsium:20220602:conti:abb9754, author = {Eclypsium}, title = {{Conti Targets Critical Firmware}}, date = {2022-06-02}, organization = {Eclypsium}, url = {https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/}, language = {English}, urldate = {2022-06-04} } Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-05-19MandiantAlden Wahlstrom, Alice Revelli, Sam Riddell, David Mainor, Ryan Serabian
@online{wahlstrom:20220519:io:eacf6cd, author = {Alden Wahlstrom and Alice Revelli and Sam Riddell and David Mainor and Ryan Serabian}, title = {{The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine}}, date = {2022-05-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/information-operations-surrounding-ukraine}, language = {English}, urldate = {2022-05-25} } The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine
HermeticWiper PartyTicket
2022-05-02AT&TFernando Martinez
@online{martinez:20220502:analysis:e5d626b, author = {Fernando Martinez}, title = {{Analysis on recent wiper attacks: examples and how wiper malware works}}, date = {2022-05-02}, organization = {AT&T}, url = {https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-attacks-examples-and-how-they-wiper-malware-works}, language = {English}, urldate = {2022-05-04} } Analysis on recent wiper attacks: examples and how wiper malware works
AcidRain CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-25GOV.UAState Service of Special Communication and Information Protection of Ukraine (CIP)
@online{cip:20220325:who:e75f0ac, author = {State Service of Special Communication and Information Protection of Ukraine (CIP)}, title = {{Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22}}, date = {2022-03-25}, organization = {GOV.UA}, url = {https://cip.gov.ua/en/news/khto-stoyit-za-kiberatakami-na-ukrayinsku-kritichnu-informaciinu-infrastrukturu-statistika-15-22-bereznya}, language = {English}, urldate = {2022-08-05} } Who is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22
Xloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper IsaacWiper MicroBackdoor Pandora RAT
2022-03-24NextGovBrandi Vincent
@online{vincent:20220324:ukrainian:74b1566, author = {Brandi Vincent}, title = {{Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid}}, date = {2022-03-24}, organization = {NextGov}, url = {https://www.nextgov.com/cybersecurity/2022/03/ukrainian-cyber-lead-least-4-types-malware-are-targeting-ukrainian-institutions/363558/}, language = {English}, urldate = {2022-03-25} } Ukrainian Cyber Lead Says ‘At Least 4 Types of Malware’ in Use to Target Critical Infrastructure and Humanitarian Aid
CaddyWiper DoubleZero HermeticWiper IsaacWiper
2022-03-21eSentireeSentire
@online{esentire:20220321:esentire:d07192a, author = {eSentire}, title = {{eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket}}, date = {2022-03-21}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-hermeticwiper-partyticket}, language = {English}, urldate = {2022-03-25} } eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket
HermeticWiper PartyTicket
2022-03-17BlackberryBlackBerry Research & Intelligence Team
@online{team:20220317:threat:115c4c5, author = {BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: HermeticWiper Targets Defense Sectors in Ukraine}}, date = {2022-03-17}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/03/threat-thursday-hermeticwiper}, language = {English}, urldate = {2022-03-18} } Threat Thursday: HermeticWiper Targets Defense Sectors in Ukraine
HermeticWiper
2022-03-14KasperskyGReAT
@online{great:20220314:webinar:f6bfb3c, author = {GReAT}, title = {{Webinar on cyberattacks in Ukraine – summary and Q&A}}, date = {2022-03-14}, organization = {Kaspersky}, url = {https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/}, language = {English}, urldate = {2022-04-05} } Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-11BitdefenderRadu Crahmaliuc
@online{crahmaliuc:20220311:five:9ba5aa0, author = {Radu Crahmaliuc}, title = {{Five Things You Need to Know About the Cyberwar in Ukraine}}, date = {2022-03-11}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/}, language = {English}, urldate = {2022-03-31} } Five Things You Need to Know About the Cyberwar in Ukraine
HermeticWiper WhisperGate
2022-03-11Security BoulevardTeri Robinson
@online{robinson:20220311:isaacwiper:1c63641, author = {Teri Robinson}, title = {{IsaacWiper Followed HermeticWiper Attack on Ukraine Orgs}}, date = {2022-03-11}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2022/03/isaacwiper-followed-hermeticwiper-attack-on-ukraine-orgs/}, language = {English}, urldate = {2022-03-14} } IsaacWiper Followed HermeticWiper Attack on Ukraine Orgs
HermeticWiper IsaacWiper
2022-03-10splunkSplunk Threat Research Team
@online{team:20220310:detecting:d1cb280, author = {Splunk Threat Research Team}, title = {{Detecting HermeticWiper}}, date = {2022-03-10}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html}, language = {English}, urldate = {2022-03-22} } Detecting HermeticWiper
HermeticWiper PartyTicket
2022-03-10BrightTALK (Kaspersky GReAT)Costin Raiu, Marco Preuss, Kurt Baumgartner, Dan Demeter, Ivan Kwiatkowski
@online{raiu:20220310:brighttalk:a3d9072, author = {Costin Raiu and Marco Preuss and Kurt Baumgartner and Dan Demeter and Ivan Kwiatkowski}, title = {{BrightTALK: A look at current cyberattacks in Ukraine}}, date = {2022-03-10}, organization = {BrightTALK (Kaspersky GReAT)}, url = {https://www.brighttalk.com/webcast/15591/534324}, language = {English}, urldate = {2022-04-05} } BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-10BrandefenseBrandefense
@online{brandefense:20220310:hermeticwiper:c5162c1, author = {Brandefense}, title = {{HermeticWiper - Technical Analysis Report}}, date = {2022-03-10}, organization = {Brandefense}, url = {https://brandefense.io/hermeticwiper-technical-analysis-report/}, language = {English}, urldate = {2022-05-03} } HermeticWiper - Technical Analysis Report
HermeticWiper
2022-03-04MandiantJames Sadowski, Ryan Hall
@online{sadowski:20220304:responses:0b94dae, author = {James Sadowski and Ryan Hall}, title = {{Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation}}, date = {2022-03-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation}, language = {English}, urldate = {2022-03-07} } Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
HermeticWiper PartyTicket WhisperGate
2022-03-04Github (eln0ty)Abdallah Elnoty
@online{elnoty:20220304:hermeticwiperfoxblade:55a9f09, author = {Abdallah Elnoty}, title = {{HermeticWiper/FoxBlade Analysis (in-depth)}}, date = {2022-03-04}, organization = {Github (eln0ty)}, url = {https://eln0ty.github.io/malware%20analysis/HermeticWiper/}, language = {English}, urldate = {2022-03-04} } HermeticWiper/FoxBlade Analysis (in-depth)
HermeticWiper
2022-03-04MalwarebytesMalwarebytes Threat Intelligence
@online{intelligence:20220304:hermeticwiper:ba69b2a, author = {Malwarebytes Threat Intelligence}, title = {{HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine}}, date = {2022-03-04}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/}, language = {English}, urldate = {2022-03-04} } HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine
HermeticWiper
2022-03-04vmwareGiovanni Vigna, Oleg Boyarchuk, Stefano Ortolani, Threat Analysis Unit
@online{vigna:20220304:hermetic:78d4550, author = {Giovanni Vigna and Oleg Boyarchuk and Stefano Ortolani and Threat Analysis Unit}, title = {{Hermetic Malware: Multi-component Threat Targeting Ukraine Organizations}}, date = {2022-03-04}, organization = {vmware}, url = {https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/}, language = {English}, urldate = {2022-03-22} } Hermetic Malware: Multi-component Threat Targeting Ukraine Organizations
HermeticWiper
2022-03-03CloudsekAnandeshwar Unnikrishnan, Deepanjli Paulraj
@online{unnikrishnan:20220303:technical:db998ee, author = {Anandeshwar Unnikrishnan and Deepanjli Paulraj}, title = {{Technical Analysis of The Hermetic Wiper Malware Used to Target Ukraine}}, date = {2022-03-03}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-the-hermetic-wiper-malware-used-to-target-ukraine/}, language = {English}, urldate = {2022-03-14} } Technical Analysis of The Hermetic Wiper Malware Used to Target Ukraine
HermeticWiper
2022-03-03Trend MicroTrend Micro Research
@techreport{research:20220303:ioc:216aad3, author = {Trend Micro Research}, title = {{IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks}}, date = {2022-03-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf}, language = {English}, urldate = {2022-03-04} } IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate
2022-03-03YouTube (MBSD)MBSD
@online{mbsd:20220303:infection:9d66ae5, author = {MBSD}, title = {{Infection and explanation of "Hermetic Wiper", a destructive malware targeting Ukraine}}, date = {2022-03-03}, organization = {YouTube (MBSD)}, url = {https://www.youtube.com/watch?v=sUlW45c9izU}, language = {Japanese}, urldate = {2022-03-07} } Infection and explanation of "Hermetic Wiper", a destructive malware targeting Ukraine
HermeticWiper
2022-03-03LIFARSLIFARS
@online{lifars:20220303:closer:f29cc25, author = {LIFARS}, title = {{A Closer Look at the Russian Actors Targeting Organizations in Ukraine}}, date = {2022-03-03}, organization = {LIFARS}, url = {https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/}, language = {English}, urldate = {2022-03-04} } A Closer Look at the Russian Actors Targeting Organizations in Ukraine
HermeticWiper IsaacWiper Saint Bot WhisperGate
2022-03-02TrellixMax Kersten
@online{kersten:20220302:digging:42a2aaf, author = {Max Kersten}, title = {{Digging into HermeticWiper}}, date = {2022-03-02}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/digging-into-hermeticwiper.html}, language = {English}, urldate = {2022-03-04} } Digging into HermeticWiper
HermeticWiper
2022-03-02Recorded FutureInsikt Group
@techreport{group:20220302:hermeticwiper:66c202b, author = {Insikt Group}, title = {{HermeticWiper and PartyTicket Targeting Computers in Ukraine}}, date = {2022-03-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/mtp-2022-0302.pdf}, language = {English}, urldate = {2022-03-04} } HermeticWiper and PartyTicket Targeting Computers in Ukraine
HermeticWiper PartyTicket
2022-03-01Threat PostLisa Vaas
@online{vaas:20220301:ukraine:d77fd77, author = {Lisa Vaas}, title = {{Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion}}, date = {2022-03-01}, organization = {Threat Post}, url = {https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/}, language = {English}, urldate = {2022-03-07} } Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion
HermeticWiper
2022-03-01ESET ResearchESET Research
@online{research:20220301:isaacwiper:a2ff019, author = {ESET Research}, title = {{IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine}}, date = {2022-03-01}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/}, language = {English}, urldate = {2022-03-02} } IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine
HermeticWiper IsaacWiper PartyTicket
2022-03-01Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20220301:diskkillhermeticwiper:e543742, author = {Marco Ramilli}, title = {{DiskKill/HermeticWiper and NotPetya (Dis)similarities}}, date = {2022-03-01}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/}, language = {English}, urldate = {2022-03-02} } DiskKill/HermeticWiper and NotPetya (Dis)similarities
EternalPetya HermeticWiper
2022-03-01DeepInstinctIdo Kringel
@online{kringel:20220301:what:0acaa94, author = {Ido Kringel}, title = {{What is HermeticWiper – An Analysis of the Malware and Larger Threat Landscape in the Russian Ukrainian War}}, date = {2022-03-01}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/blog/hermeticwiper-malware-the-russian-ukrainian-cyber-war}, language = {English}, urldate = {2022-03-07} } What is HermeticWiper – An Analysis of the Malware and Larger Threat Landscape in the Russian Ukrainian War
HermeticWiper
2022-03-01Kaspersky LabsKaspersky
@online{kaspersky:20220301:ransomware:159de87, author = {Kaspersky}, title = {{Ransomware as a distraction}}, date = {2022-03-01}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/}, language = {English}, urldate = {2022-03-08} } Ransomware as a distraction
HermeticWiper PartyTicket
2022-03-01ElasticDaniel Stepanic, Mark Mager, Cyril François, Andrew Pease, Samir Bousseaden, Github (@ayfaouzi), Github (@1337-42), Github (@jtnk)
@online{stepanic:20220301:elastic:85313fa, author = {Daniel Stepanic and Mark Mager and Cyril François and Andrew Pease and Samir Bousseaden and Github (@ayfaouzi) and Github (@1337-42) and Github (@jtnk)}, title = {{Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER}}, date = {2022-03-01}, organization = {Elastic}, url = {https://elastic.github.io/security-research/intelligence/2022/03/01.hermeticwiper-targets-ukraine/article/}, language = {English}, urldate = {2022-03-07} } Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER
HermeticWiper
2022-03-01QualysMayuresh Dani
@online{dani:20220301:ukrainian:c196036, author = {Mayuresh Dani}, title = {{Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware}}, date = {2022-03-01}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware}, language = {English}, urldate = {2022-03-04} } Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware
HermeticWiper
2022-02-28TrellixTaylor Mullins
@online{mullins:20220228:trellix:5428964, author = {Taylor Mullins}, title = {{Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections}}, date = {2022-02-28}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html}, language = {English}, urldate = {2022-03-07} } Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections
HermeticWiper
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:8ef46fd, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine}, language = {English}, urldate = {2022-03-07} } Cyber threat activity in Ukraine: analysis and resources
HermeticWiper IsaacWiper PartyTicket WhisperGate
2022-02-28Microsoft Sentinel 101mzorich
@online{mzorich:20220228:detecting:7fd9162, author = {mzorich}, title = {{Detecting malware kill chains with Defender and Microsoft Sentinel}}, date = {2022-02-28}, organization = {Microsoft Sentinel 101}, url = {https://learnsentinel.blog/2022/02/28/detecting-malware-kill-chains-with-defender-and-microsoft-sentinel/}, language = {English}, urldate = {2022-03-02} } Detecting malware kill chains with Defender and Microsoft Sentinel
HermeticWiper
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
2022-02-28ZDNetJonathan Greig
@online{greig:20220228:microsoft:0e59d45, author = {Jonathan Greig}, title = {{Microsoft finds FoxBlade malware on Ukrainian systems, removes RT from Windows app store}}, date = {2022-02-28}, organization = {ZDNet}, url = {https://www.zdnet.com/article/microsoft-finds-foxblade-malware-on-ukrainian-systems-removing-rt-from-windows-app-store/}, language = {English}, urldate = {2022-03-07} } Microsoft finds FoxBlade malware on Ukrainian systems, removes RT from Windows app store
HermeticWiper
2022-02-26CISACISA, FBI
@techreport{cisa:20220226:destructive:be5862b, author = {CISA and FBI}, title = {{Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf}, language = {English}, urldate = {2022-03-01} } Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-26CISA
@online{cisa:20220226:alert:48440b6, author = {CISA}, title = {{Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-057a}, language = {English}, urldate = {2022-03-01} } Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-26YoroiLuigi Martire, Carmelo Ragusa, Luca Mella
@online{martire:20220226:diskkillhermeticwiper:b3582b9, author = {Luigi Martire and Carmelo Ragusa and Luca Mella}, title = {{DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures}}, date = {2022-02-26}, organization = {Yoroi}, url = {https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/}, language = {English}, urldate = {2022-03-10} } DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures
HermeticWiper
2022-02-25SOCRadarSOCRadar
@online{socradar:20220225:what:4bcc0aa, author = {SOCRadar}, title = {{What You Need to Know About Russian Cyber Escalation in Ukraine}}, date = {2022-02-25}, organization = {SOCRadar}, url = {https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/}, language = {English}, urldate = {2022-03-01} } What You Need to Know About Russian Cyber Escalation in Ukraine
Mirai HermeticWiper
2022-02-25CyberPeace Institute
@online{institute:20220225:ukraine:eb66e34, author = {CyberPeace Institute}, title = {{UKRAINE: Timeline of Cyberattacks}}, date = {2022-02-25}, url = {https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks}, language = {English}, urldate = {2022-03-01} } UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate
2022-02-25EnglertOneThomas Englert
@online{englert:20220225:reverse:fb0652a, author = {Thomas Englert}, title = {{Reverse Engineering | Hermetic Wiper}}, date = {2022-02-25}, organization = {EnglertOne}, url = {https://www.englert.one/hermetic-wiper-reverse-code-engineering}, language = {English}, urldate = {2022-03-01} } Reverse Engineering | Hermetic Wiper
HermeticWiper
2022-02-25The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220225:putin:09a1fea, author = {Ravie Lakshmanan}, title = {{Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks}}, date = {2022-02-25}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/putin-warns-russian-critical.html}, language = {English}, urldate = {2022-03-01} } Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks
HermeticWiper WhisperGate
2022-02-25Twitter (@fr0gger)Thomas Roccia
@online{roccia:20220225:tweets:68e5727, author = {Thomas Roccia}, title = {{Tweets with an overview of HermeticWiper}}, date = {2022-02-25}, organization = {Twitter (@fr0gger)}, url = {https://twitter.com/fr0gger_/status/1497121876870832128}, language = {English}, urldate = {2022-03-01} } Tweets with an overview of HermeticWiper
HermeticWiper
2022-02-25SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220225:disruptive:d6c7b5d, author = {Counter Threat Unit ResearchTeam}, title = {{Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations}}, date = {2022-02-25}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/disruptive-hermeticwiper-attacks-targeting-ukrainian-organizations}, language = {English}, urldate = {2022-03-01} } Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
HermeticWiper
2022-02-25Deutsche Gesellschaft für CybersicherheitDeutsche Gesellschaft für Cybersicherheit (DGC)
@online{dgc:20220225:breaking:a96fdac, author = {Deutsche Gesellschaft für Cybersicherheit (DGC)}, title = {{Breaking news! Warning about “HermeticWiper Malware” by Russian APT Groups}}, date = {2022-02-25}, organization = {Deutsche Gesellschaft für Cybersicherheit}, url = {https://dgc.org/en/hermeticwiper-malware/}, language = {English}, urldate = {2022-03-01} } Breaking news! Warning about “HermeticWiper Malware” by Russian APT Groups
HermeticWiper
2022-02-25CrowdStrikewilliam thomas, Adrian Liviu Arsene, Farid Hendi
@online{thomas:20220225:crowdstrike:6af36f9, author = {william thomas and Adrian Liviu Arsene and Farid Hendi}, title = {{CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks}}, date = {2022-02-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/}, language = {English}, urldate = {2022-03-02} } CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks
HermeticWiper
2022-02-24Cluster25
@online{cluster25:20220224:ukraine:3000c86, author = {Cluster25}, title = {{Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)}}, date = {2022-02-24}, url = {https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/}, language = {English}, urldate = {2022-03-01} } Ukraine: Analysis Of The New Disk-Wiping Malware (HermeticWiper)
HermeticWiper
2022-02-24t3nElisabeth Urban
@online{urban:20220224:cyberattacken:a0806ad, author = {Elisabeth Urban}, title = {{Cyber-Attacken auf die Ukraine: Wiper-Malware befällt „Hunderte Computer“}}, date = {2022-02-24}, organization = {t3n}, url = {https://t3n.de/news/cyber-attacken-ukraine-wiper-malware-1454318/}, language = {German}, urldate = {2022-03-01} } Cyber-Attacken auf die Ukraine: Wiper-Malware befällt „Hunderte Computer“
HermeticWiper
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24ESET Researchwelivesecurity
@online{welivesecurity:20220224:hermeticwiper:33daddb, author = {welivesecurity}, title = {{HermeticWiper: New data‑wiping malware hits Ukraine}}, date = {2022-02-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/}, language = {English}, urldate = {2022-03-02} } HermeticWiper: New data‑wiping malware hits Ukraine
HermeticWiper
2022-02-24SymantecSymantec Threat Hunter Team
@online{team:20220224:ukraine:da94adc, author = {Symantec Threat Hunter Team}, title = {{Ukraine: Disk-wiping Attacks Precede Russian Invasion}}, date = {2022-02-24}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia}, language = {English}, urldate = {2022-03-01} } Ukraine: Disk-wiping Attacks Precede Russian Invasion
HermeticWiper
2022-02-24IBMAnne Jobmann, Claire Zaboeva, Richard Emerson, Christopher Del Fierro, John Dwyer
@online{jobmann:20220224:ibm:deaac04, author = {Anne Jobmann and Claire Zaboeva and Richard Emerson and Christopher Del Fierro and John Dwyer}, title = {{IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine}}, date = {2022-02-24}, organization = {IBM}, url = {https://securityintelligence.com/posts/new-destructive-malware-cyber-attacks-ukraine/}, language = {English}, urldate = {2022-03-02} } IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine
HermeticWiper
2022-02-24RiskIQRiskIQ
@online{riskiq:20220224:riskiq:1c80c36, author = {RiskIQ}, title = {{RiskIQ: HermeticWiper Compromised Server Used in Attack Chain}}, date = {2022-02-24}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/9f59cb85}, language = {English}, urldate = {2022-03-02} } RiskIQ: HermeticWiper Compromised Server Used in Attack Chain
HermeticWiper
2022-02-24ZscalerDeepen Desai
@online{desai:20220224:hermeticwiper:7cac018, author = {Deepen Desai}, title = {{HermeticWiper & resurgence of targeted attacks on Ukraine}}, date = {2022-02-24}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine}, language = {English}, urldate = {2022-03-02} } HermeticWiper & resurgence of targeted attacks on Ukraine
HermeticWiper
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-23Twitter (@threatintel)Symantec Threat Intelligence
@online{intelligence:20220223:new:7beccbc, author = {Symantec Threat Intelligence}, title = {{Tweet on new wiper malware being used in attacks on Ukraine}}, date = {2022-02-23}, organization = {Twitter (@threatintel)}, url = {https://twitter.com/threatintel/status/1496578746014437376}, language = {English}, urldate = {2022-03-01} } Tweet on new wiper malware being used in attacks on Ukraine
HermeticWiper
2022-02-23The RecordCatalin Cimpanu
@online{cimpanu:20220223:second:960453d, author = {Catalin Cimpanu}, title = {{Second data wiper attack hits Ukraine computer networks}}, date = {2022-02-23}, organization = {The Record}, url = {https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/}, language = {English}, urldate = {2022-03-01} } Second data wiper attack hits Ukraine computer networks
HermeticWiper WhisperGate
2022-02-23Sentinel LABSJuan Andrés Guerrero-Saade
@online{guerrerosaade:20220223:hermeticwiper:b218dda, author = {Juan Andrés Guerrero-Saade}, title = {{HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine}}, date = {2022-02-23}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/}, language = {English}, urldate = {2022-03-01} } HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
HermeticWiper
2022-02-23The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220223:new:d894c7d, author = {Ravie Lakshmanan}, title = {{New Wiper Malware Targeting Ukraine Amid Russia's Military Operation}}, date = {2022-02-23}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html}, language = {English}, urldate = {2022-03-01} } New Wiper Malware Targeting Ukraine Amid Russia's Military Operation
HermeticWiper
2022-02-22Palo Alto Networks Unit 42Unit 42
@online{42:20220222:russiaukraine:63a2dfc, author = {Unit 42}, title = {{Russia-Ukraine Crisis: How to Protect Against the Cyber Impact}}, date = {2022-02-22}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/}, language = {English}, urldate = {2022-03-02} } Russia-Ukraine Crisis: How to Protect Against the Cyber Impact
HermeticWiper
Yara Rules
[TLP:WHITE] win_hermeticwiper_auto (20230407 | Detects win.hermeticwiper.)
rule win_hermeticwiper_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.hermeticwiper."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwiper"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 89442424 85c0 744c 8b7c2410 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   89442424             | mov                 dword ptr [esp + 0x24], eax
            //   85c0                 | test                eax, eax
            //   744c                 | je                  0x4e
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]

        $sequence_1 = { 8be5 5d c3 8b4dfc 8d0476 }
            // n = 5, score = 200
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8d0476               | lea                 eax, [esi + esi*2]

        $sequence_2 = { 8b742420 83c404 85f6 0f846c010000 }
            // n = 4, score = 200
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   83c404               | add                 esp, 4
            //   85f6                 | test                esi, esi
            //   0f846c010000         | je                  0x172

        $sequence_3 = { 8d85e8fdffff 50 6803000080 ffd7 85c0 7552 8945fc }
            // n = 7, score = 200
            //   8d85e8fdffff         | lea                 eax, [ebp - 0x218]
            //   50                   | push                eax
            //   6803000080           | push                0x80000003
            //   ffd7                 | call                edi
            //   85c0                 | test                eax, eax
            //   7552                 | jne                 0x54
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_4 = { 56 ff15???????? 50 ff15???????? 85c0 7429 }
            // n = 6, score = 200
            //   56                   | push                esi
            //   ff15????????         |                     
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7429                 | je                  0x2b

        $sequence_5 = { 8b4e56 8b4652 894c2418 8d4c2414 }
            // n = 4, score = 200
            //   8b4e56               | mov                 ecx, dword ptr [esi + 0x56]
            //   8b4652               | mov                 eax, dword ptr [esi + 0x52]
            //   894c2418             | mov                 dword ptr [esp + 0x18], ecx
            //   8d4c2414             | lea                 ecx, [esp + 0x14]

        $sequence_6 = { 83ee02 eb02 8bf3 397df0 7531 6a5c 6a00 }
            // n = 7, score = 200
            //   83ee02               | sub                 esi, 2
            //   eb02                 | jmp                 4
            //   8bf3                 | mov                 esi, ebx
            //   397df0               | cmp                 dword ptr [ebp - 0x10], edi
            //   7531                 | jne                 0x33
            //   6a5c                 | push                0x5c
            //   6a00                 | push                0

        $sequence_7 = { 50 e8???????? 8b442428 83c418 5f 5e }
            // n = 6, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   83c418               | add                 esp, 0x18
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_8 = { b9???????? 8bc7 0f1f8000000000 668b10 663b11 751e }
            // n = 6, score = 200
            //   b9????????           |                     
            //   8bc7                 | mov                 eax, edi
            //   0f1f8000000000       | nop                 dword ptr [eax]
            //   668b10               | mov                 dx, word ptr [eax]
            //   663b11               | cmp                 dx, word ptr [ecx]
            //   751e                 | jne                 0x20

        $sequence_9 = { 68???????? 7407 68???????? eb05 68???????? ff35???????? ff15???????? }
            // n = 7, score = 200
            //   68????????           |                     
            //   7407                 | je                  9
            //   68????????           |                     
            //   eb05                 | jmp                 7
            //   68????????           |                     
            //   ff35????????         |                     
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 247808
}
Download all Yara Rules