Urgent Vulnerability Notice: HermeticWizard, HermeticRansom, and IsaacWiper Target Ukraine

What You Need to Know:

This week, ESET researchers discovered three new cyberattacks against Ukraine: HermeticWizard, HermeticRansom, and IsaacWiper.

There is a new exploit, HermeticWizard, which spreads HermeticWiper across local networks via WMI and SMB. HermeticWizard is a worm that was deployed on a Ukrainian system on February 23, 2022. The malware starts by trying to find other machines on a local network before gathering known local IP addresses using these Windows functions:

• DNSGetCacheDataTable
• GetIpNetTable
• WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY)
• NetServerEnum
• GetTcpTable
• GetAdaptersAddresses

ESET stated in their report that after HermeticWizard finds a reachable machine, it drops the WMI spreader onto a disk and creates a new process with the following command line: <current folder>\<6 random letters>.ocx #1 -s <path to HermeticWizard> – i <target IP>. According to ESET, like HermeticWiper, HermeticWizard was signed by a code-signing certificate assigned to Hermetica Digital Ltd, which was issued on April 13th, 2021. ESET requested the issuing CA (DigiCert) to revoke the certificate, which it did on February 24th, 2022.

Reuters issued a report stating the Hermetica Digital certificate was stolen by threat actors from Hermetica Digital, which is a Cypriot company. The Hermetica owner from Cyprus didn’t know that his certificate was being used in a malicious malware attack against Ukraine. The owner is a 24-year-old game designer who runs his business from a house next to a Cypriot church on the outskirts of Nicosia – never expecting to wind up in a global crisis. Reuters believes that the attackers impersonated the Cypriot company to get the certificate from DigiCert.

With this new information, ESET believes that the attacked organizations were compromised before HermeticWiper was deployed. HermeticRansom was also discovered by ESET, which is ransomware written in Go. It’s currently being used at the same time as the HermeticWiper campaign but has a much smaller deployment. ESET believes that the ransomware was deployed at the same time to hide the HermeticWiper’s actions, as it doesn’t use obfuscation mechanisms. This has led researchers to believe that the ransomware was created in a hurry.

In addition to HermeticWizard and HermeticRansom, ESET detected IsaacWiper on February 24, 2022, and it’s suspected that threat actors used tools like Impacket to move laterally within networks and systems. ESET also observed a remote access tool called RemCom being deployed at the same time as IsaacWiper.

Although the attacks come during a time when Russia is at odds with Ukraine, HermeticWizard, HermeticRansom, and IsaacWiper have not been attributed to Russia and the attackers remain unknown. However, IsaacWiper might have been used in previous attacks months prior. There is no known connection between HermeticWiper and IsaacWiper.

Today, Microsoft released a report discussing their discovery of a new malware package called FoxBlade that was directed against Ukraine’s digital infrastructure. However, cyber intelligence researchers discovered that FoxBlade is actually HermeticWiper due to the two exploits having the same file hashes. Also, the same malware was given different names by ESET and Microsoft.

Towerwall Recommendations:

HermeticWizard:

• Monitor traffic on the ports HermeticWizard uses to worm through networks.

HermeticRansom (aka PartyTicket) has decryption instructions:

• According to researchers at CrowdStrike, HermeticRansom’s AES key used for encryption is recoverable. The Go script provided by CrowdStrike decrypts files encrypted by HermeticRansom.
• The script takes the file to be decrypted as an argument via the “-p” flag and saves the decrypted output to “decrypted.bin” in the same directory. The script can be built as an executable or run via the Go run package.

CISA’s recommendations apply for HermeticWiper (aka DriveSlayer), HermeticRansom, and IsaacWiper:

Regularly Review Your Cyber Hygiene:

• Validate that all remote access to the organization’s network and privileged or administrative access requires multi-factor authentication.
• Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
• Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
• If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA’s guidance.

Quickly Detect a Potential Intrusion:

• Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior.
• Enable logging in order to better investigate issues or events.
• Confirm that the organization’s entire network is protected by antivirus/antimalware software and that signatures in these tools are updated.
• If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic.

Prepare to Respond if an Intrusion Occurs:

• Designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/ responsibilities within the organization, including technology, communications, legal, and business continuity.
• Assure availability of key personnel; identify means to provide surge support for responding to an incident.
• Conduct a tabletop exercise to ensure that all participants understand their roles during an incident.

Maximize Your Organization’s Resilience to a Destructive Cyber Incident:

• Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack; ensure that backups are isolated from network connections.
• If using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.

Indicators of Compromise (IoCs):

HermeticRansom AKA PartyTicket

• 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

HermeticWizard and IsaacWiper

• 6983f7001de10f4d19fc2d794c3eb534
• bdf30adb4e19aff249e7da26b7f33ead
• d57f1811d8258d8d277cd9f53657eef9
• 0e84aff18d42fc691cb1104018f44403c325ad21
• 23873bf2670cf64c2440058130548d4e4da412dd
• 379ff9236f0f72963920232f4a0782911a6bd7f7
• 3c54c9a49a8ddca02189fe15fea52fe24f41a86f
• 61b25d11392172e587d8da3045812a66c3385451
• 6b5958bfabfe7c731193adb96880b225c8505b73
• 736a4cfad1ed83a6a0b75b0474d5e01a3a36f950
• 87bd9404a68035f8d70804a5159a37d1eb0a3568
• 912342f1c840a42f6b74132f8a7c4ffe7d40fb77
• ac5b6f16fc5115f0e2327a589246ba00b41439c2
• ad602039c6f0237d4a997d5640e92ce5e2b3bba3
• b33dd3ee12f9e6c150c964ea21147bf6b7f7afa9
• e9b96e9b86fad28d950ca428879168e0894d854f
• f32d791ec9e6385a91b45942c230f52aff1626df
• 23ef301ddba39bb00f0819d2061c9c14d17dc30f780a945920a51bc3ba0198a4
• 2c7732da3dcfc82f60f063f2ec9fa09f9d38d5cfbe80c850ded44de43bdb666d
• 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

HermeticWiper

• 912342F1C840A42F6B74132F8A7C4FFE7D40FB77
• 61B25D11392172E587D8DA3045812A66C3385451
• Win32/KillDisk[.NCV] trojan 6/n

Supporting Documentation:

• Hermetica Owner From Cyprus Didn’t Know His Server Was Used In Malicious Malware Attack In Ukraine (voi.id)
• IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine | WeLiveSecurity
• How to Decrypt the PartyTicket Ransomware Targeting Ukraine | CrowdStrike
• HermeticRansom used as a smokescreen for wiper attacks | Kaspersky official blog
• HermeticWiper – FoxBlade
• OTX-HermeticWizard-IsaacWiper
• Cyprus games writer denies links to malware found before Russian invasion | Reuters

If you have any questions about this vulnerability or your information security needs, please contact me directly at 774-204-0700.