From Russia Sans Love: Destructive Wiper Malware
& Oh. And Iran Wants to Eat Your UEFI

Around the time of the invasion of Ukraine, at least 3 separate strains of malware called "Wiper" had been found in Ukraine.  The malware is called Wiper because "the malware erases user data and partition information from any drives attached to a compromised machine."  The first strain was discovered by Microsoft in January 2022,  before the actual invasion began.  Known as WhisperGate, that first strain masqueraded as ransomware.  The message below was displayed on screens of infected PCs.

Your hard drive has been corrupted.
In case you want to recover all hard drives of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.

When the computer powers down, the malware executes.  "In reality, the ransomware note is a ruse and that the malware destructs MBR (Master Boot Record) and the contents of the files it targets," according to Microsoft.  There is a 2^nd stage of the infection associated with WhisperGate.

The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions:

With just about every filename extension that anyone might use at any one time, from BAK to ZIP, including doc, docx, xls, xlsx and everyone's favorite PDF, slated for deletion, and cannot be recovered because the drive is effectively destroyed. 

If a file carries one of the extensions above, the corrupter overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB).  After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension. Analysis of this malware is ongoing.

No good backup?  Then it's SOL time.

But Wait!  There's more.  On February 23, 2022, a second strain of Wiperware that masquerades as ransomware was detected by Slovakian security & antimalware vendor ESET.  This one is called HermeticWiper.  This strain locates all physical drives and partitions.  Along with HermeticWiper comes a "worm that we have named HermeticWizard" that will spread the malware automatically across networks.

The malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. While that should be enough for the device not to boot again, HermeticWiper proceeds to enumerate the partitions for all possible drives.

Then on February 24, 2022, ESET discovered another strain similar to HermeticWiper.  This strain is dubbed "IsaacWiper."  What ESET noted about IssacWiper is "It has no code similarity with HermeticWiper and is way less sophisticated. Given the timeline, it is possible that both are related but we haven’t found any strong connection yet."   Nonetheless, it will still wipe the drive.  This could be the work freelancers or script kiddies who just want to get in on the action and have some fun.

While antimalware vendors were bringing there products up to speed on these attackers, March 14, 2022, a fourth Wiperware variant was detected.  

Researchers have discovered a new type of destructive wiper malware affecting computers in Ukraine, making it at least the third strain of wiper to have hit Ukrainian systems since the Russian invasion began.

The malware, dubbed CaddyWiper, was found by researchers at Slovakia-based cybersecurity firm ESET

Although the attackers discussed herein are still very dangerous, by the time you read this antimalware vendors have built in defenses against these strains of malware.  The real and present danger may well come new strains not yet detected.  It is obvious these threats will remain with us for some time, and also evolve over time. 

This report details a destructive cyberattack that impacted Ukrainian organizations on February 23rd, 2022, and a second attack that affected a different Ukrainian organization from February 24th through 26th, 2022. At this point, we have no indication that other countries were targeted.

However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.

If history is a guide, and it always is, these are instances of what I like to Espionageware, because it's old fashioned espionage played on a new gameboard.  One of the first successful instances of Espionageware was the Stuxnet worm of 2010.  That was the doing of the US and/or Israel, or so it is assumed.  Stuxnet had to be physically planted on the computers at Iranian nuclear facilities.  Stuxnet caused Iran's centrifuges tp spin widely out of control, while the gauges and dials and monitors said everything was AOK.  Six months later Stuxnet was in the wild.  Assuming you consider SoCal "the wild." 

So DO NOT ASSUME YOU, ME, UNCLE FRED, AUNTIE ETHEL,  or anybody else can be considered immune from these threats.  They have a way of going global.  One of the first principles of Zero Trust is there is no boundary to the network.

If you do not have a good plan of action for backing up and restoring your data, I suggest you formulate one and implement it.  If there are updates to install, then install the update.  And for the Love Of God, at least restart your PC once a day, if you don't want to turn it off.  That will insure any updates that did not install right the first time, will install themselves correctly.

But that's not motivated me to post an Extra Dispatch From the Front.  We have a Love Letter from Iran.  I cranked up the old HTML machine to type about something that really will destroy, not just the hard drive, but render the PC into a useless brick.  UEFI firmware vulnerabilities affect at least 25 computer vendors, was the headline February 2, 2022 from BleepingComputer.  I have discussed malware that infects the computer Basic Input/Output Systems (BIOS) in many Dispatches in the past.  To review,  UEFI firmware is most easily understood as the programmable semiconductors on your motherboard.  And once infected, the machine is itself a threat to the network, assuming the PC still works, as it is reinfected with each new start up.

Researchers from firmware protection company Binarly have discovered critical vulnerabilities in the UEFI firmware from InsydeH2O used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer.

In total, Binarly found 23 flaws in the InsydeH2O UEFI firmware, most of them in the software's System Management Mode (SMM) that provides system-wide functions such as power management and hardware control.

The mitigation for this attacker can only be an update to the firmware itself, which can be difficult under the best of circumstances, meaning a fairly recent computer from a known manufacturer.  A BIOS update on any older machine is something that I don't think is advisable.  And if you do not know who your motherboard manufacturer is, then a firmware update is not possible.

On March 9, 2022, HP patched "16 UEFI firmware bugs allowing stealthy malware infections." 

HP has disclosed 16 high-impact UEFI firmware vulnerabilities that could allow threat actors to infect devices with malware that gain high privileges and remain undetectable by installed security software.

These vulnerabilities affect multiple HP models, including laptops, desktop computers, PoS systems, and edge computing nodes.

The flaws were discovered by researchers at Binarly, the same team that published another set of UEFI flaws affecting 25 computer vendors back in February.

I have reached out to folks who have recent HP PCs.  Not to sound arrogant, but ignore me at your risk.

Each single post to the Dispatches from the Front, like this simple posting with no graphics, takes about 4 hours of real work,  I don't get paid for it. I do it as a public service that I hope you appreciate. 


Gerald Reiff