WhisperGate and HermeticWiper: Critical Public Aware Vulnerabilities
WhisperGate Malware Is Targeting Ukraine
The Microsoft Threat Intelligence Center (MSTIC) has disclosed that malware known as WhisperGate is being used to target organizations in Ukraine and companies with connections to the country. According to Microsoft, WhisperGate is intended to be destructive and designed to render targeted devices inoperable.
Additionally, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices only by manipulating the master boot record resulting in subsequent boot failure.
These attacks are not intended to be used to extract a ransom, but to cause the maximum IT outage possible in an organization, by turning all devices into expensive door stops.
The National Cyber Security Centre in the UK are not aware of any current specific threats to UK organizations in relation to events in and around Ukraine, but there has been a historical pattern of cyberattacks on Ukraine with international consequences.
Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper against organizations in Ukraine to destroy computer systems and render them inoperable.
A joint Cybersecurity Advisory (CSA) between the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) provided information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware.
This data has been provided to help secure the maximum number of organizations around the world.
Identifying WhisperGate
The following payloads are used to both infect and launch the WhisperGate attack. These are files which have known file hashes.
Even if the file name has changed, Syxsense can still detect this threat and keep your endpoints secure. The infection comes in 2 parts, first a stage file is copied to the PC which then launched stage 2 which causes the end result.
| Name | File Category | File Hash |
| WhisperGate | stage1.exe | a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 |
| WhisperGate | stage2.exe | dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
Identifying HermeticWiper
Any of the following payloads could be used to both infect and launch the HermeticWiper attack. These are files which have known file hashes, even if the file name has changed Syxsense can still detect this threat.
Similar to WhisperGate, these are files delivered initially as a Trojan, and from there it downloads and launches the sophisticated attack.
| Name | File Category | File Hash |
| Win32/KillDisk.NCV | Trojan | 912342F1C840A42F6B74132F8A7C4FFE7D40FB77 61B25D11392172E587D8DA3045812A66C3385451 |
| HermeticWiper | Win32 EXE | 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 |
| HermeticWiper | Win32 EXE | 61b25d11392172e587d8da3045812a66c3385451 |
| RCDATA_DRV_X64 | ms-compressed | a952e288a1ead66490b3275a807f52e5 |
| RCDATA_DRV_X86 | ms-compressed | 231b3385ac17e41c5bb1b1fcb59599c4 |
| RCDATA_DRV_XP_X64 | ms-compressed | 095a1678021b034903c85dd5acb447ad |
| RCDATA_DRV_XP_X86 | ms-compressed | eb845b7a16ed82bd248e395d9852f467 |
| Trojan.Killdisk | Trojan.Killdisk | 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 |
| Trojan.Killdisk | Trojan.Killdisk | 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da |
| Trojan.Killdisk | Trojan.Killdisk | a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e |
| Ransomware | Trojan.Killdisk | 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 |
Increase Your Endpoint Security with Syxsense
Using the power and intelligence of the vulnerability scanning engine within Syxsense Cortex, you can detect these malicious threats before it damages your devices.
You may configure the actions to keep your environment safe, such as simply deleting the file or to completely isolate the device from the network — this can stop a widespread attack in its tracks. You decide on the risk you are prepared to take!
These can be found within the extensive library of security scripts under “WhisperGate” and “HermeticWiper.”
