We all are aware of the ongoing conflict between Russia and Ukraine. As the physical war takes place on the ground, it also gives rise to cyberattacks against Russia and Ukraine. We are seeing an increase in malicious cyber activities as the conflict has evolved over the weeks. This write-up covered most of the malicious attacks in the news related to the Russia-Ukraine cyberwar.
- Hermetic Wiper:
This was first observed on 23rd Feb & is targeted against Ukraine. HermeticWiper is named based on the certificate it contains Hermetica Digital Ltd. It abuses the legitimate driver of EaseUS by wiping the process by loading it as a service. It also disables crash dumps with the help of registry entry and volume shadow copy through the service. It overwrites MBR, MFT, and files at several locations with random bytes. The infected machine will fail to boot due to its MBR being overwritten.
- WhisperGate:
This is a destructive malware that was first observed on 13th Jan 2022 and is targeted at Ukraine. It corrupts the disk by overwriting MBR code with 16-bit assembly code and a ransom note. In this case, the ransom note is just a tactic as there is no way for recovery. If overwriting of MBR fails, there is a 2nd stage involved which has a file corrupter. This malware overwrites specific extension files under specific directories with a fixed number of 0xCC bytes by adding random extensions to the filename.
- Isaac Wiper:
Yet another malware that is targeted against Ukraine. Isaac Wiper was first spotted on 24th Feb 2022. It identifies physical drives and wipes the first 0x10000 bytes of each disk. This malware also can identify logical drives and wipe every file on such drives with random bytes.
- RURansom:
Despite its name, RURansom is a wiper and not a ransomware variant because of its irreversible destruction of encrypted files. It spreads like a worm by copying itself to all removable disks and mapped network drives. After spreading, it begins encryption of all file extensions except for “.bak” files, which are deleted. The files are encrypted with a randomly generated key with a length equal to base64. The encryption algorithm used by RURansom is AES-CBC.
The encryption keys used by RURansom are unique for each encrypted file and are not stored anywhere. Hence making the encryption irreversible and marking the malware as a wiper rather than a ransomware variant. Some malware variants check the IP address to avoid execution outside Russia.
How does Seqrite protect its users?
Seqrite detects the above-listed malware with the following detection names:
- Whispergte.S26928601
- Whispergte.S26928613
- WhisperGateCiR
- HrmetcWipr.S26876287
- HermeticWiperCiR
- Hermeticwiper
- Win32CiR
- RURansom
- MSIL
Conclusion
With the Russia-Ukraine conflicts continuing, the malware authors are using new tools & tricks to lure victims. The best defense against these evolving cyberattacks is to stay vigilant & practice safe cyber hygiene.
Keep your Seqrite EPS products updated with the latest virus definitions. We at Seqrite are continuously monitoring all the developments and will update our detections on a timely basis. As of now, we already have protection against all the reported malware.
No Comments