WhisperGate and HermeticWiper: Critical Public Aware Vulnerabilities

WhisperGate and HermeticWiper: Critical Public Aware Vulnerabilities

WhisperGate Malware Is Targeting Ukraine

The Microsoft Threat Intelligence Center (MSTIC) has disclosed that malware known as WhisperGate is being used to target organizations in Ukraine and companies with connections to the country. According to Microsoft, WhisperGate is intended to be destructive and designed to render targeted devices inoperable.

Additionally, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices only by manipulating the master boot record resulting in subsequent boot failure.

These attacks are not intended to be used to extract a ransom, but to cause the maximum IT outage possible in an organization, by turning all devices into expensive door stops.

The National Cyber Security Centre in the UK are not aware of any current specific threats to UK organizations in relation to events in and around Ukraine, but there has been a historical pattern of cyberattacks on Ukraine with international consequences.

Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper against organizations in Ukraine to destroy computer systems and render them inoperable.

A joint Cybersecurity Advisory (CSA) between the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) provided information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware.

This data has been provided to help secure the maximum number of organizations around the world.

Identifying WhisperGate

The following payloads are used to both infect and launch the WhisperGate attack. These are files which have known file hashes.

Even if the file name has changed, Syxsense can still detect this threat and keep your endpoints secure. The infection comes in 2 parts, first a stage file is copied to the PC which then launched stage 2 which causes the end result.

Name File Category File Hash
WhisperGate stage1.exe a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
WhisperGate stage2.exe dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

Identifying HermeticWiper

Any of the following payloads could be used to both infect and launch the HermeticWiper attack. These are files which have known file hashes, even if the file name has changed Syxsense can still detect this threat.

Similar to WhisperGate, these are files delivered initially as a Trojan, and from there it downloads and launches the sophisticated attack.

Name File Category File Hash
Win32/KillDisk.NCV Trojan 912342F1C840A42F6B74132F8A7C4FFE7D40FB77
HermeticWiper Win32 EXE 912342f1c840a42f6b74132f8a7c4ffe7d40fb77
HermeticWiper Win32 EXE 61b25d11392172e587d8da3045812a66c3385451
RCDATA_DRV_X64 ms-compressed a952e288a1ead66490b3275a807f52e5
RCDATA_DRV_X86 ms-compressed 231b3385ac17e41c5bb1b1fcb59599c4
RCDATA_DRV_XP_X64 ms-compressed 095a1678021b034903c85dd5acb447ad
RCDATA_DRV_XP_X86 ms-compressed eb845b7a16ed82bd248e395d9852f467
Trojan.Killdisk Trojan.Killdisk 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
Trojan.Killdisk Trojan.Killdisk 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
Trojan.Killdisk Trojan.Killdisk a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e
Ransomware Trojan.Killdisk 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

Increase Your Endpoint Security with Syxsense

Using the power and intelligence of the vulnerability scanning engine within Syxsense Cortex, you can detect these malicious threats before it damages your devices.

You may configure the actions to keep your environment safe, such as simply deleting the file or to completely isolate the device from the network — this can stop a widespread attack in its tracks.  You decide on the risk you are prepared to take!

These can be found within the extensive library of security scripts under “WhisperGate” and “HermeticWiper.”