FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
ralvarez
Staff
Staff

Introduction

 

On 23 Feb 2022 numerous organizations within Ukraine were targeted with attacks employing ‘KillDisk’ or ‘HermeticWiper’ malware. Once deployed this malware employs various drivers to corrupt the master boot record (MBR) of the target endpoint. FortiEDR customers are protected from this malware variant. The context of the employment of these unique samples is interesting as it appears to have no commercial outcome for the adversary and has no functionality other than that designed to irreparably destroy data on an endpoint. Also interesting is that reports indicate that ransomware was deployed alongside the wiper software, as were significant DDoS attacks, both likely deployed as decoys to tie up incident response and security resources as the wiper was executed in target environments.

 

This article will highlight how FortiEDR detects and blocks behaviour associated with this wiper activity and how to ensure that FortiEDR is configured to offer these protections. There is limited consistent information outlining the attack chain leading up to deployment of this sample so this article will look at various HermeticWiper samples in isolation, with future article updates to come as more information can be verified.

 

 

Detection and Mitigation with FortiEDR

 

Behaviour of the HermeticWiper sample triggers numerous rules across the FortiEDR security policies. These rules can be seen below. Due to FortiEDR’s automatic enrichment with FortiGuard threat intelligence, know samples are flagged as ‘KillDisk.NCV!tr’. Due to this tag, file read attempts for this executable will be blocked pre-execution. Events generated during the execution of this sample are shown below in Figure 1.

hermetic_figure01.png

Figure 1. FortiEDR detects numerous behavioral events related to execution of the HermeticWiper malware. These detections and mitigations prevent it from affecting protected endpoints.

 

To demonstrate how FortiEDR also detects against files with an unknown hash, we appended some random characters to the file and re-executed. We can see from this detection that the hash has changed and does not match a known signature. Regardless of this, FortiEDR still flags this file as suspicious as it is assessed as having a high likelihood of being malicious by the Fortinet Cloud Services machine learning engine. This assessment can be seen below in Figure 2

hermetic_figure02.png

Figure 2. FortiEDR employs multiple online sandboxes and a machine learning engine as part of the Fortinet Cloud Services (FCS) cloud backend. This allows it to detect new versions of malware variants without known signatures as shown above for an unknown HermeticWiper sample.

 

Once executed with appropriate permissions (administrator access) the wiper will extract a copy of a driver from one of its embedded resources depending on the architecture of the target and briefly write it to disk. Files are stored in the 'ms-compressed' format'. Once written to disk, at “C:\Windows\System32\Drivers\<four_random_lowercse_letters>.sys”, the driver is loaded by the wiper. This behaviour can be observed being detected by FortiEDR in the event show below in Figure 3 and is flagged as ‘Modify OS Settings’.

hermetic_figure03.png

Figure 3. FortiEDR detects and flags the HermeticWiper executable loading the zddr.sys driver (empntdrv.sys). FortiEDR would block this behavior in ‘Protect’ mode.

 

This driver is a copy of the ‘empntdrv.sys’ or 'EaseUS' driver, which is a legitimate driver used for data recovery. Writing of this driver is non-standard behaviour and serves as a high confidence indicator available for searching through FortiEDR’s Threat Hunting feature covered in a later section of this article. The name of the driver is randomized on each execution.

 

This driver is loaded by the wiper and then executed to provide raw disk access to all mounted physical drives. The wiper uses access granted by this driver to access the Master Boot Record (MBR) of each drive and overwrite it with randomly generated data, corrupting the drives and rendering them unusable. FortiEDR will detect and block direct disc access by the malicious process as a malicious ‘File Access’ event. This can be observed in the event depicted in Figure 4 below.

hermetic_figure04.png

Figure 4. FortiEDR detects and flags the zddr.sys driver (empntdrv.sys) attempting to access and overwrite the MBR as malicious activity. This is the wipe process, FortiEDR would block this behavior in ‘Protect’ mode.

 

Once the MBR has been written, the driver is unloaded and deleted. On reboot due to corruption of the MBR the victim endpoint will display the screen shown below in Figure 5.

hermetic_figure05.png

Figure 5. Screen displayed on boot following corruption of the MBR by HermeticWiper

 

As highlighted above, FortiEDR will detect and block execution of this family of malware pre-execution even if new variants are released due to integration of FortiGuard threat intelligence, online sandboxing and machine learning engines. In addition to this FortiEDR will detect and block subsequent behavior performed by this family of malware preventing it from destroying target endpoints even if samples are executed.

 

Threat Hunting

 

Identify wiper based on file creation events (drivers). Note that the file name changes on each execution (to a four letter filename) so this search is relatively generic. This query will need to be filtered per environment. Typically drivers are only installed by installers through msiexec however security software typically resides as a driver so will create a new driver on update that will need to be filtered.

Type:"File Create" AND Target.File.Path:"Windows\\System32\\Drivers" AND Target.File.Ext:"sys" AND Target.File.Name:????.sys NOT Source.Process.Name:"msiexec.exe"

 

Identify anomalous registry operations associated with wiper execution. The ‘showCompColor’ toggles whether compressed and encrypted NTFS files are shown in color when displayed through explorer and the ‘showInfoTip’ value toggle whether pop-up descriptions for folder and desktop items are shown on mouse-over. Changes to these registry settings only appear to affect the GUI output and their purpose within the sample appears to have limited practical purpose.

Type:"Value Set" AND Registry.Path:"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" AND Registry.Name:("ShowInfoTip" OR "ShowCompColor") AND Registry.Data:"0"

 

MITRE ATT&CK

 

TA0005 - Defense Evasion

 

 

Technique ID

Technique Description

Observed Activity

T1070.001

Indicator Removal on Host: File Deletion

HermaticWiper writes a driver to disk from one of its internal resources and then loads and executes driver to access raw disk. This driver is deleted once wipe process has been completed.

 

Technique ID

Technique Description

Observed Activity

T1027

Obfuscated Files or Information

HermaticWiper includes required drivers as resources in the main executable and writes them to disk as required on execution

 

Technique ID

Technique Description

Observed Activity

T1553.002

Subvert Trust Controls: Code Signing

HermaticWiper samples observed in the wild so far have been signed by ‘Hermetica Digital Ltd’ with a legitimate certificate. The certificate has not been associated with a legitimate company or legitimate software at the time of the attack.

 

Technique ID

Technique Description

Observed Activity

T1561.002

Disk Wipe: Disk Structure Wipe

HermaticWiper overwrites the Master Boot Record (MBR) of all physical drives attached to a target endpoint. This renders the drives useless and will cause the endpoint to fail to boot.

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

Malicious Executable

0d8cc992f279ec45e8b8dfd05a700ff1f0437f29

SHA1 Hash

Impact

HermeticWiper Executable

Malicious Executable

d9a3596af0463797df4ff25b7999184946e3bfa2

SHA1 Hash

Impact

HermeticWiper Executable

Malicious Executable

912342f1c840a42f6b74132f8a7c4ffe7d40fb77

SHA1 Hash

Impact

HermeticWiper Executable

Malicious Executable

61b25d11392172e587d8da3045812a66c3385451

SHA1 Hash

Impact

HermeticWiper Executable

Contributors