Cybersecurity

A year of wiper strikes in Ukraine


ESET Research has compiled a timeline of cyberattacks using wiper malware that have occurred since Russia’s invasion of Ukraine in 2022

This blog post presents a compiled overview of the annoying wiper attacks we’ve been observing in Ukraine since early 2022, shortly before the Russian military invasion began. We can attribute most of these attacks to Sandworm, with varying degrees of confidence. The compilation includes attacks seen by ESET, as well as some reported by other trusted sources such as CERT-UA, Microsoft, and SentinelOne.

ESET Research Destructive malware targeting Ukrainian organizations IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine AcidRain | A Modem Wiper Rains Down on Europe IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine An overview of Russia’s cyberattack activity in Ukraine An overview of Russia’s cyberattack activity in Ukraine ESET Research CERT-UA An overview of Russia’s cyberattack activity in Ukraine An overview of Russia’s cyberattack activity in Ukraine An overview of Russia’s cyberattack activity in Ukraine ESET APT ACTIVITY REPORT T2 2022 Industroyer2: Industroyer reloaded CERT-UA ESET Research ESET Research ESET APT ACTIVITY REPORT T2 2022 ESET APT ACTIVITY REPORT T3 2022 ESET APT ACTIVITY REPORT T3 2022 ESET APT ACTIVITY REPORT T3 2022 New “Prestige” ransomware impacts organizations in Ukraine and Poland ESET APT ACTIVITY REPORT T3 2022 CERT-UA RansomBoggs: New ransomware targeting Ukraine CERT-UA SwiftSlicer: New destructive wiper malware strikes Ukraine

Note: Estimated date (~) is used when the exact date of deployment is uncertain or unknown. In some cases, the discovery date or (in the case of non-ESET discovery) the attack publication date is used.

Pre-invasion

Among the many waves DDoS attack that had targeted Ukrainian institutions at the time, ie WhisperGate the malware hit on January 14thth2022. Wiper masquerades as ransomware, echoing NotPetya from June 2017 – a tactic that will also be seen in later attacks.

On February 23rd, 2022, a destructive campaign using HermeticWiper targeted hundreds of systems in at least five Ukrainian organizations. This data wipe was first spotted just before 17:00 local time (15:00 UTC): the cyber attack preceded, by only a few hours, the invasion of Ukraine by Russian Federation forces. Along with HermeticWiper, the HermeticWizard worm and HermeticRansom faux ransomware were also deployed in the campaign.

Invasion and spring tide

On February 24th2022, with the winter melting in Ukraine, the second destructive attack on the network of the Ukrainian government begins, using an eraser we named IsaacWiper.

Also on the day of the invasion, that is Acid rain the wiper campaign targets Viasat KA-SAT modems, with spillovers also outside Ukraine.

Another eraser, originally disclosed by Microsoft, is DesertBladereportedly deployed on March 1st2022 and again around March 17thth2022. The same report also mentions attacks using wipers from the Hermetic campaign, namely HermeticWiper (Microsoft calls it FoxBlade) around March 10, 2022, HermeticRansom (Microsoft calls it SonicVote) around March 17th2022, and the attacks around March 24thth2022 uses HermeticWiper and HermeticRansom.

CERT-UA reports its findings about DoubleZero eraser on March 17thth2022.

On March 14thth2022, ESET researchers detect an attack using CaddyWipertargeting Ukrainian banks.

On April 1st, 2022, we detect CaddyWiper again, this time loaded by the ArguePatch loader, which is usually a modified official binary used to load shell code from external files. We detected a similar scenario on May 16, 2022, where ArguePatch took shape modified ESET binary.

We also detected the ArguePatch-CaddyWiper tandem on April 8thth, 2022, perhaps the Sandworm’s most ambitious attack since the invasion’s inception: their failed attempt to disrupt the flow of electricity using Industroyer2. Besides ArguePatch and CaddyWiper, in this incident, we also found wipers for non-Windows platforms: ORCSHRED, SOLOSHRED, and AWFULSHRED. For details, see notification by CERT-UAand our WeLiveSecurity blog post.

Summers are quieter

The summer months saw fewer new wipeout campaign discoveries in Ukraine than in previous months, but some notable attacks did occur.

We have worked closely with CERT-UA on the case of implementing ArguePatch (and CaddyWiper) against Ukrainian institutions. The first incident occurred within a week of June 20th2022, and another on June 23rd2022.

Autumn waves

With temperatures dropping in preparation for the northern winter, on Oct. 3rd, 2022 we detected a new version of CaddyWiper applied in Ukraine. Unlike the previously used variants, this time CaddyWiper is compiled as a Windows x64 binary.

On October 5thth, 2022, we identified a new version of HermeticWiper that has been uploaded to VirusTotal. The functionality of this HermeticWiper sample is the same as the previous example, with a few minor changes.

On October 11th, 2022, we detected Prestige ransomware used against logistics companies in Ukraine and Poland. This campaign too reported by Microsoft.

On the same day, we also identified a previously unknown eraser, which we named NikoWiper. These wipers were used against companies in the energy sector in Ukraine. NikoWiper is based on SDelete Microsoft command line utility for securely deleting files.

On November 11thth2022, CERT-UA published a blog post about the attack using the fake Somnia ransomware.

On November 21st2022, we detected in Ukraine a new ransomware written in .NET which we named RansomBoggs. The ransomware has many references to the movie Monsters, Inc. We observed that malware operators use POWERGAP scripts to use this filecoder.

January 2023

In 2023, disturbing attacks on Ukrainian institutions continue.

On January 1st2023, we detected an execution SDelete utility in the Ukrainian software retailer.

Another attack using multiple wipers, this time against a Ukrainian news agency, occurred on 17 Januaryth2023, according to CERT-UA. The following wipers were detected in this attack: CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe. BidSwipe is noteworthy, as it is a FreeBSD OS wiper.

On January 25thth2023, we detected a new eraser, written in Go and we named it SwiftSlicerdeployed against Ukrainian local government entities.

In almost all of the cases mentioned above, Sandworm uses Active Directory Group Policy (T1484.001) to spread wipers and ransomware, specifically using the POWERGAP script.

Conclusion

The use of disruptive wipers – and even wipers disguised as ransomware – by Russian APT groups, notably Sandworm, against Ukrainian organizations is nothing new. Since circa 2014, BlackEnergy has been using annoying plugins; the KillDisk wiper was a common denominator in past Sandworm attacks; and the Telebots subgroup has launched many wipe-out attacks, the most famous of which is NotPetya.

But the intensification of the wipeout campaign since the military invasion in February 2022 is unprecedented. On a positive note, many attacks have been detected and thwarted. However, we continue to monitor the situation vigilantly, as we expect the attacks to continue.

For any questions regarding our research published on WeLiveSecurity, please contact us at threatintel@eset.com.

ESET Research also offers private APT intelligence reports and data feeds. For any questions about this service, please visit ESET Threat Intelligence page

IoC

files

SHA-1 File name ESET detection name Information
189166D382C73C242BA45889D57980548D4BA37E stage1.exe Win32/KillMBR.NGI Overwrite the Stage 1 WhisperGate MBR.
A67205DC84EC29EB71BB259B19C1A1783865C0FC N/A Win32/KillFiles.NKU WhisperGate stage 2 final payload.
912342F1C840A42F6B74132F8A7C4FFE7D40FB77 com. exe Win32/KillDisk. NCV Hermetic Wipers.
61B25D11392172E587D8DA3045812A66C3385451 conhosts. exe Win32/KillDisk. NCV Hermetic Wipers.
F32D791EC9E6385A91B45942C230F52AFF1626DF cc2.exe WinGo/Filecoder.BK Hermetic Ransom.
86906B140B019FDEDAAABA73948D0C8F96A6B1B42 dil Linux/Acid Rain.A Acid rain.
AD602039C6F0237D4A997D5640E92CE5E2B3BBA3 cl64. dll Win32/KillMBR. NHP IsaacWiper.
736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 cld. dll Win32/KillMBR. NHQ IsaacWiper.
E9B96E9B86FAD28D950CA428879168E0894D854F clean. exe Win32/KillMBR. NHP IsaacWiper.
5C01947A49280CE98FB39D0B72311B47C47BC5CC clean. exe Win32/KillMBR. NHP IsaacWiper.
59F5B9AECE751E58BE16E7F7A7A6D8C044F583BE cll.exe Win32/KillMBR. NHQ IsaacWiper.
172FBE91867C1D6B7F3E2899CEA69113BB1F21A0 notes. exe WinGo/KillFiles. A DesertBlade eraser.
46671348C1A61B3A8BFBA025E64E5549B7FDFA98 N/A Win32/KillDisk. NCV Hermetic Wipers.
DB0DA0D92D90657EA91C02336E0605E96DB92C05 clrs.exe Win32/KillDisk. NCV Hermetic Wipers.
98B3FB74B3E8B3F9B05A82473551C5A77B576D54 caddy.exe Win32/KillDisk. NCX CaddyWiper.
320116162D78AFB8E00FD972591479A899D3DFEE cpcrs.exe MSIL/KillFiles. CK DoubleZero eraser.
43B3D5FFAE55116C68C504339C5D953CA25C0E3F csrss.exe MSIL/KillFiles. CK DoubleZero eraser.
48F54A1D93C912ADF36C79BB56018DEFF190A35C ukcphone.exe Win32/Agent. AECG ArguePatch shell code loader.
6FA04992C0624C7AA3CA80DA6A30E6DE91226A16 peremoga.exe Win32/Agent. AECG ArguePatch shell code loader.
9CE1491CE69809F92AE1FE8D4C0783BD1D11FBE7 pa1. pay Win32/KillDisk.NDA Encrypted CaddyWiper shell code.
3CDBC19BC4F12D8D00B81380F7A2504D08074C15 wobf. sh Linux/KillFiles. C AwfulShred Linux remover.
8FC7646FA14667D07E3110FE754F61A78CFDE6BC wsol. sh Linux/KillFiles. B SoloShred Solaris delete.
796362BD0304E305AD120576B6A8FB6721108752 eset_ssl_filtered_cert_importer.exe Win32/Agent. AEGY ArguePatch shell code loader.
8F3830CB2B93C21818FDBFCF526A027601277F9B spn.exe Win32/Agent. AEKA ArguePatch shell code loader.
3D5C2E1B792F690FBCF05441DF179A3A48888618 mslrss.exe Win32/Agent. AEKA ArguePatch shell code loader.
EB437FF79E639742EE36E89F30C6A21072B86CBC caclcly.exe Win64/Agent.BQZ CaddyWiper x64.
57E3D0108636F6EE56C801F128306AD43AF60EE6 cmrss.exe Win32/KillDisk. NCV Hermetic Wipers.
986BA7A5714AD5B0DE0D040D1C066389BCB81A67 open. exe Win32/Filecoder.Prestige.A Prestige filecoder.
C7186DEF5E9C3E1B01BF506F538F5D6185377A9C sysate32.exe Win32/Filecoder.Prestige.A Prestige filecoder.
59621F5EFC311FDFE66683266CE9CB17F8227B23 mstc_niko. exe Win32/DelAll. NAH NikoWiper.
84E6A010B372D845C723A8B8D7DDD8D79675DCE5 Sullivan.1.v2.0.exe MSIL/Filecoder.RansomBoggs.A Filecoder RansomBoggs.
F4D1C047923B9D10031BB709AABF1A250AB0AAA2 Sullivan.1.v4.5.exe MSIL/Filecoder.RansomBoggs.A Filecoder RansomBoggs.
9A3D63C6E127243B3036BC0E242789EC1D2AB171 Sullivan.2.v2.exe MSIL/Filecoder.RansomBoggs.A Filecoder RansomBoggs.
BB187EB125070176BD7EC6C57CFF166708DD60E1 Sullivan.2.v4.exe MSIL/Filecoder.RansomBoggs.A Filecoder RansomBoggs.
3D593A39FA20FED851B9BEFB4FF2D391B43BDF08 Sullivan. v2.5.exe MSIL/Filecoder.RansomBoggs.A Filecoder RansomBoggs.
021308C361C8DE7C38EF135BC3B53439EB4DA0B4 Sullivan.v4.5.exe MSIL/Filecoder.RansomBoggs.A Filecoder RansomBoggs.
7346E2E29FADDD63AE5C610C07ACAB46B2B1B176 help. exe WinGo/KillFiles. C SwiftSlicer Remover.





Source link

Related Articles

Back to top button