Top | |
Newsletter 03/17/2022 |
Back to Contents A printable PDF of this article is available here. |
From Russia Sans Love: Destructive Wiper Malware
Your hard drive has been corrupted. When the computer powers down, the malware executes. "In reality, the ransomware note is a ruse and that the malware destructs MBR (Master Boot Record) and the contents of the files it targets," according to Microsoft. There is a 2nd stage of the infection associated with WhisperGate. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions: With just about every filename extension that anyone might use at any one time, from BAK to ZIP, including doc, docx, xls, xlsx and everyone's favorite PDF, slated for deletion, and cannot be recovered because the drive is effectively destroyed. If a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Analysis of this malware is ongoing.
No good backup? Then it's SOL time. The malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. While that should be enough for the device not to boot again, HermeticWiper proceeds to enumerate the partitions for all possible drives.
Then on February 24, 2022, ESET discovered another strain similar to HermeticWiper. This strain is dubbed "IsaacWiper." What ESET
noted about IssacWiper is
"It has no code similarity with HermeticWiper and is way less
sophisticated. Given the timeline, it is possible that both are related
but we haven’t found any strong connection yet."
Nonetheless, it will still wipe the drive.
This could be the work freelancers or script
kiddies who just want to get in on the action and have some fun.
Researchers have discovered a new type of destructive wiper
malware affecting computers in Ukraine, making it at least the third
strain of wiper to have hit Ukrainian systems since the Russian invasion
began. Although the attackers discussed herein are still very dangerous, by the time you read this antimalware vendors have built in defenses against these strains of malware. The real and present danger may well come new strains not yet detected. It is obvious these threats will remain with us for some time, and also evolve over time.
This report details a destructive cyberattack that impacted
Ukrainian organizations on February 23rd, 2022, and a second attack that
affected a different Ukrainian organization from February 24th through
26th, 2022. At this point, we have no indication that other countries
were targeted.
If history is a guide, and it always is, these are instances of what I
like to Espionageware, because it's old fashioned espionage played on a
new gameboard. One of the first successful instances of
Espionageware was the
Stuxnet
worm of 2010. That was the doing of the US and/or Israel, or
so it is assumed. Stuxnet had to be physically planted on the
computers at Iranian nuclear facilities. Stuxnet caused Iran's
centrifuges tp spin widely out of control, while the gauges and dials
and monitors said everything was AOK. Six months later Stuxnet was
in the wild. Assuming you consider SoCal "the wild."
Researchers from firmware protection company Binarly have
discovered critical vulnerabilities in the UEFI firmware from InsydeH2O
used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo,
Dell, ASUS, HP, Siemens, Microsoft, and Acer.
The mitigation for this attacker can only be an update to the firmware
itself, which can be difficult under the best of circumstances, meaning
a fairly recent computer from a known manufacturer. A BIOS update
on any older machine is something that I don't think is advisable.
And if you do not know who your motherboard manufacturer is, then a firmware
update is not possible.
HP has disclosed 16 high-impact UEFI firmware vulnerabilities
that could allow threat actors to infect devices with malware that gain
high privileges and remain undetectable by installed security software.
I have reached out to folks who have
recent HP PCs. Not to sound arrogant, but ignore me at your risk. |
Back to Top | ← Back Pages Page 1 |