Introduction
On 23 Feb 2022 numerous organizations within Ukraine were targeted with attacks employing ‘KillDisk’ or ‘HermeticWiper’ malware. Once deployed this malware employs various drivers to corrupt the master boot record (MBR) of the target endpoint. FortiEDR customers are protected from this malware variant. The context of the employment of these unique samples is interesting as it appears to have no commercial outcome for the adversary and has no functionality other than that designed to irreparably destroy data on an endpoint. Also interesting is that reports indicate that ransomware was deployed alongside the wiper software, as were significant DDoS attacks, both likely deployed as decoys to tie up incident response and security resources as the wiper was executed in target environments.
This article will highlight how FortiEDR detects and blocks behaviour associated with this wiper activity and how to ensure that FortiEDR is configured to offer these protections. There is limited consistent information outlining the attack chain leading up to deployment of this sample so this article will look at various HermeticWiper samples in isolation, with future article updates to come as more information can be verified.
Detection and Mitigation with FortiEDR
Behaviour of the HermeticWiper sample triggers numerous rules across the FortiEDR security policies. These rules can be seen below. Due to FortiEDR’s automatic enrichment with FortiGuard threat intelligence, know samples are flagged as ‘KillDisk.NCV!tr’. Due to this tag, file read attempts for this executable will be blocked pre-execution. Events generated during the execution of this sample are shown below in Figure 1.
Figure 1. FortiEDR detects numerous behavioral events related to execution of the HermeticWiper malware. These detections and mitigations prevent it from affecting protected endpoints.
To demonstrate how FortiEDR also detects against files with an unknown hash, we appended some random characters to the file and re-executed. We can see from this detection that the hash has changed and does not match a known signature. Regardless of this, FortiEDR still flags this file as suspicious as it is assessed as having a high likelihood of being malicious by the Fortinet Cloud Services machine learning engine. This assessment can be seen below in Figure 2
Figure 2. FortiEDR employs multiple online sandboxes and a machine learning engine as part of the Fortinet Cloud Services (FCS) cloud backend. This allows it to detect new versions of malware variants without known signatures as shown above for an unknown HermeticWiper sample.
Once executed with appropriate permissions (administrator access) the wiper will extract a copy of a driver from one of its embedded resources depending on the architecture of the target and briefly write it to disk. Files are stored in the 'ms-compressed' format'. Once written to disk, at “C:\Windows\System32\Drivers\<four_random_lowercse_letters>.sys”, the driver is loaded by the wiper. This behaviour can be observed being detected by FortiEDR in the event show below in Figure 3 and is flagged as ‘Modify OS Settings’.
Figure 3. FortiEDR detects and flags the HermeticWiper executable loading the zddr.sys driver (empntdrv.sys). FortiEDR would block this behavior in ‘Protect’ mode.
This driver is a copy of the ‘empntdrv.sys’ or 'EaseUS' driver, which is a legitimate driver used for data recovery. Writing of this driver is non-standard behaviour and serves as a high confidence indicator available for searching through FortiEDR’s Threat Hunting feature covered in a later section of this article. The name of the driver is randomized on each execution.
This driver is loaded by the wiper and then executed to provide raw disk access to all mounted physical drives. The wiper uses access granted by this driver to access the Master Boot Record (MBR) of each drive and overwrite it with randomly generated data, corrupting the drives and rendering them unusable. FortiEDR will detect and block direct disc access by the malicious process as a malicious ‘File Access’ event. This can be observed in the event depicted in Figure 4 below.
Figure 4. FortiEDR detects and flags the zddr.sys driver (empntdrv.sys) attempting to access and overwrite the MBR as malicious activity. This is the wipe process, FortiEDR would block this behavior in ‘Protect’ mode.
Once the MBR has been written, the driver is unloaded and deleted. On reboot due to corruption of the MBR the victim endpoint will display the screen shown below in Figure 5.
Figure 5. Screen displayed on boot following corruption of the MBR by HermeticWiper
As highlighted above, FortiEDR will detect and block execution of this family of malware pre-execution even if new variants are released due to integration of FortiGuard threat intelligence, online sandboxing and machine learning engines. In addition to this FortiEDR will detect and block subsequent behavior performed by this family of malware preventing it from destroying target endpoints even if samples are executed.
Threat Hunting
Identify wiper based on file creation events (drivers). Note that the file name changes on each execution (to a four letter filename) so this search is relatively generic. This query will need to be filtered per environment. Typically drivers are only installed by installers through msiexec however security software typically resides as a driver so will create a new driver on update that will need to be filtered.
|
Identify anomalous registry operations associated with wiper execution. The ‘showCompColor’ toggles whether compressed and encrypted NTFS files are shown in color when displayed through explorer and the ‘showInfoTip’ value toggle whether pop-up descriptions for folder and desktop items are shown on mouse-over. Changes to these registry settings only appear to affect the GUI output and their purpose within the sample appears to have limited practical purpose.
|
MITRE ATT&CK
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070.001 |
Indicator Removal on Host: File Deletion |
HermaticWiper writes a driver to disk from one of its internal resources and then loads and executes driver to access raw disk. This driver is deleted once wipe process has been completed. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1027 |
Obfuscated Files or Information |
HermaticWiper includes required drivers as resources in the main executable and writes them to disk as required on execution |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1553.002 |
Subvert Trust Controls: Code Signing |
HermaticWiper samples observed in the wild so far have been signed by ‘Hermetica Digital Ltd’ with a legitimate certificate. The certificate has not been associated with a legitimate company or legitimate software at the time of the attack. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1561.002 |
Disk Wipe: Disk Structure Wipe |
HermaticWiper overwrites the Master Boot Record (MBR) of all physical drives attached to a target endpoint. This renders the drives useless and will cause the endpoint to fail to boot. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
|
Malicious Executable |
0d8cc992f279ec45e8b8dfd05a700ff1f0437f29 |
SHA1 Hash |
Impact |
HermeticWiper Executable |
|
Malicious Executable |
d9a3596af0463797df4ff25b7999184946e3bfa2 |
SHA1 Hash |
Impact |
HermeticWiper Executable |
|
Malicious Executable |
912342f1c840a42f6b74132f8a7c4ffe7d40fb77 |
SHA1 Hash |
Impact |
HermeticWiper Executable |
|
Malicious Executable |
61b25d11392172e587d8da3045812a66c3385451 |
SHA1 Hash |
Impact |
HermeticWiper Executable |
