SECURITY

Detecting HermeticWiper

As stated in our previous threat advisory STRT-TA02 in regards to destructive software, past historical data suggests that for malicious actors to succeed in long-standing campaigns they must improve and add new ways of making their payloads stealthier, resistant, and damaging. HermeticWiper introduces some unique features, applying destructive actions on compromised hosts. In addition to other commonly known wiper destructive features, HermeticWiper also presents the following unique behaviors: 

  • Interacts with the system via signed driver
  • Disables crash dump functionality (Anti-Forensic)
  • Modifies “GlobalFolderOptions” registry at file permission level (NTFS)
  • Checks for FAT (Windows XP) and NTFS (Windows OS newer than XP using NTFS)
  • Corrupts (Destroys) MBR and NTFS file system 
  • Reported to have been deployed via Group Policy Object (Windows Active Directory Group Policy Object)
     

This payload is another destructive tool in the ongoing campaign which has included DDoS attacks, web defacements, MDM attacks, Microsoft SQL attacks and now two known as of yet destructive payloads. 

STRT has also released a new analytic story covering HermeticWiper itself. We have collected information about the observed vectors in relation to HermeticWiper according to several security vendors including Symantec, ESET, Sentinel One. The following diagram shows a visual flow of the observed attack vectors per tactic.


As seen above malicious actors are gaining initial access by either compromising publicly exposed services or via spear phishing, following the establishment of persistence and privilege escalation via web shells or the use of schtasks, PowerShell payloads, and finally deploying additional payloads via certutil.exe or Powershell which include genuine wiper payloads and ransomware decoy binaries seeking to distract and delay defense and containment from defenders.  Here is a brief breakdown of HermeticWiper features and detections.

HermeticWiper Analysis

Signed driver (hermetic name reference)

Dropping Driver Component Base on Windows Version (XP or above)

This wiper will first adjust its token privileges with “SeShutdownPrivilege” and “SeBackupPrivilege” for later purposes like initiating shutdown or accessing files with high-security descriptor context. 

It contains 4 compressed drivers in its RSRCsection. It will drop one of those drivers depending on the Windows version or OS architecture of the compromised host by using VerifyVersionW API. Below is the summary table of the RSRC TYPE ID and the name of its rsrc entry for each driver.
 

RSRC TYPE ID

RSRC NAME

Description

RCDATA

DRV_X64

Driver for x64 bit architecture

RCDATA

DRV_X32

Driver for x32 bit architecture

RCDATA

DRV_XP_X64

Driver for lower version OS (e.g XP) x64 bit architecture

RCDATA

DRV_XP_X64

Driver for lower version OS (e.g XP) x32 bit architecture


Then it will generate random characters based on the current process ID of its running process. Once the wiper parses the needed rsrc entry, and has a filename, It will locate the C:\windows\system32\Drivers folder to drop its driver component. 

The driver extracted from the rsrc section of this wiper is in LZW compressed (SZDD file format). The screenshot below shows how it uses LZ API to decompress that to retrieve the actual driver binary file.

Interestingly during analysis, we found out that it drops both the compressed driver (<4 char random name> without file extension) and also the actual driver (<4 char random name> with .sys file extension) in C:\windows\system32\Drivers. Then it will delete the compressed version afterwards.

Disable Crash Dump

It also has some features where it disables the generation of crash dumps of the compromised host that serve as anti-forensic techniques. This is done by modifying a registry as shown in the screenshot below:

Loading The Driver

The way it loads its driver component is by creating a service entry for that file. First It will adjust its token privilege with “SeLoadDriverPrivilege”. If the service related to its driver does not exist it will just create and start a new service for it using CreateServiceW() and StartServiceW() API. If it already exists but is not active, it will modify the service config of that kernel driver to DEMAND_START to start the service. Below is the code, how it uses ChangeServiceConfigW() API to change the status of its driver if it is not active. This driver is a legitimate component of the EaseUS Partition Master application. This file was leveraged by this wiper to interact and retrieve storage device information for its destructive purposes.

Corrupting Boot Sectors

The wiper starts to enumerate all possible physical devices connected to the compromised host (range 0-100 device). Below is the code how it enumerates all the devices and retrieves partition information of each device using DeviceIoControl() API. The function named “mw_GetDeviceNumberAndGeometry” is the function it uses to check if the physical device is “FILE_DEVICE_DISK” type or not.

It also checks what File System type is present at Device, if it is either “NTFS” OR “FAT”. This checking will help the wiper to enumerate all of its partitions to corrupt all possible boot records on it.  It also looks for known NTFS files like $Bitmap, $LogFile, $DATA, and many more to be overwritten as part of its file destruction payload.

Below is the code of the Volume Boot Record partition before and after the infection of Hermetic wiper to the compromised host.

Other Registry Modification

It also has a thread that will modify certain GlobalFolderOptions registry related to showing compressed files and information tips.

Trigger Shutdown

Another thread of this malware is responsible for shutting down the compromised host to make the corruption of boot sectors take effect.

Other Behaviors

  1. Check the C:\Windows\SYSVOL attribute using GetFileAttributeW() API. If the API returns an invalid handle(possible return if the folder path does not exist) or if it is a folder path it will continue the execution if not exit the process.
  2. Disables the VSS service which is related to volume shadow copy service to disable creation of backup copies. 
     

It also has a function that can dismount or lock a disk volume.

PartyTicket Analysis

During eset analysis in this incident, they found another binary where they named it as “Hermetic Ransom”. This is a Golang compiled ransomware binary where it tries to encrypt files in the compromised host. Below is the screenshot of its code snippet where it renames the encrypted files with “.encryptedJB” file extension.

It will also drop a ransomware note in the desktop named as “read_me.html” to inform the user that their machine is compromised and encrypted.

Aside from its encryption features, this binary uses strings to its code function name that reference US President Biden.

Detections

The following detections are focused specifically on HermeticWiper, Splunk STRT has a significant number of analytic stories that cover Ransomware which should also be considered when detecting and hunting for these types of threats. 

Windows File Without Extension In Critical Folder 

This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension.

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") 

  by _time span=5m Filesystem.dest Filesystem.user

  Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time 

  | `drop_dm_object_name(Filesystem)` 

  | rex field="file_name" "\.(?<extension>[^\.]*$)" 

  | where isnull(extension)

  | join process_guid 

  [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes

      by _time span=5m Processes.process_name Processes.dest Processes.process_guid

      Processes.user 

  | `drop_dm_object_name(Processes)`] 

  | stats count min(_time) as firstTime max(_time)

  as lastTime by dest process_name process_guid file_name file_path file_create_time user 

  | `security_content_ctime(firstTime)` 

  | `security_content_ctime(lastTime)`



Windows Raw Access To Master Boot Record Drive

This analytic is to look for suspicious raw access read to the device where the master boot record is placed.
 

`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) 

  | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode

  | `security_content_ctime(firstTime)`

  | `security_content_ctime(lastTime)`



Windows Disable Memory Crash Dump

The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump.
 

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry

  where (Registry.registry_path=“*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled”) AND Registry.registry_value_data=“0x00000000" by _time span=1h Registry.dest Registry.user

  Registry.registry_path Registry.registry_value_name Registry.registry_value_data

  Registry.process_guid Registry.registry_key_name  | `drop_dm_object_name(Registry)`

  |join process_guid [| tstats `security_content_summariesonly`

  count FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name

  Processes.process Processes.dest Processes.parent_process_name Processes.parent_process

  Processes.process_guid | `drop_dm_object_name(Processes)`  | fields _time dest user parent_process_name parent_process process_name

  process_path process process_guid registry_path registry_value_name registry_value_data

  registry_key_name] | table _time dest user parent_process_name parent_process process_name

  process_path process process_guid registry_path registry_value_name registry_value_data

  registry_key_name




Windows Modify Show Compress Color And Info Tip Registry
 

| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry

  where Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" 

  AND Registry.registry_value_name  IN("ShowCompColor", "ShowInfoTip") 

  by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name

  Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)`

  |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly`

  count FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name

  Processes.process Processes.dest Processes.parent_process_name Processes.parent_process

  Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as

  proc_guid | fields _time dest user parent_process_name parent_process process_name

  process_path process proc_guid registry_path registry_value_name registry_value_data]

  | table _time dest user parent_process_name parent_process process_name process_path

  process proc_guid registry_path registry_value_name registry_value_data


This analytic is to look for suspicious registry modification related to file compression color and information tips.


Name

Technique ID

Tactic

Description

CMD Carry Out String Command Parameter 

T1059.003

Execution

The following analytic identifies command-line arguments where cmd.exe /c is used to execute a program

Executable File Written in Administrative SMB Share 

T1021.002

Lateral Movement

The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$)

Regsvr32 Silent and Install Param Dll Loading 

T1218.010

Defense Evasion

This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution.

Executables Or Script Creation In Suspicious Path

T1036

Execution

This analytic will identify suspicious executable or scripts (known file

  extensions) in list of suspicious file paths in Windows.


Suspicious Process File Path

T1543

Persistence, Privilege Escalation

The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software.

Impacket Lateral Movement Commandline Parameters

T1021
T1021.002
T1021.003
T1047
T1543.003

Lateral Movement
Execution
Persistence, Privilege Escalation

This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools.

RunDLL Loading DLL By Ordinal

T1218
T1218.011

Defense Evasion

The following analytic identifies rundll32.exe loading an export function by ordinal value.

WevtUtil Usage To Clear Logs 

T1070.001

Defense Evasion

The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, powershell, sysmon, or system event logs.

Windows Raw Access To Disk Volume Partition(New)

T1561.002

Impact

This analytic is to look for suspicious raw access read to device disk partitions of the host machine.

Windows Modify Show Compress Color And Info Tip Registry(New)

T1112

Defense Evasion

This analytic is to look for suspicious registry modification related to file compression color and information tips. 

Windows Disable Memory Crash Dump(New)

T1485

Impact

The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump.

Windows File Without Extension In Critical Folder (New)

T1485

Persistence, Privilege Escalation

This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension. 

Windows Raw Access To Master Boot Record Drive(New)

T1561.002

Impact

This analytic is to look for suspicious raw access read to drive where the master boot record is placed.


Mitigation 

Many of these exploits can be prevented by following CISA guides for preparation and hardening of systems, applications, and networks, including MDM attacks as well. There is also a free HermeticRansom/PartyTicket decryptor by AVAST and CrowdStrike. The following table shows Splunk coverage of the aforementioned attack vectors in this ongoing campaign. 
 

Attack Vectors

Tactic

TTP

Splunk Coverage

Microsoft SQL Server

CVE-2021-1636

Privilege Escalation

T1068

Windows Privilege Escalation

Webshell

Persistence

T1505

W3WP Spawning Shell 

Tomcat

Initial Access

T1190

Linux Java Spawning Shell

Use of certutil.exe 

Command & Control 

T1105

Ingress Tool Transfer

Use Schtasks to execute payloads 

Execution, Persistence, Privilege Escalation

T1053

Windows Persistence Techniques

Powershell payload execution

Execution

T1059.001

Malicious Powershell

Deployment via GPO

Defense Evasion, Privilege Escalation

T1484

Windows Privilege Escalation

Ransomware Decoys

HermeticRansom/ PartyTicket

Defense Evasion

T1027

Ransomware

Ransomware Investigate & Contain

Ransomware Cloud

Spearphishing 

Initial Access 

T1566.002

Spearphishing attachments 

Suspicious Emails

HermeticWiper Analytic Story is available in ESCU release v3.36.0

Also available from Splunk SOAR for automated response against these threats:


Learn More

You can find the latest content about security analytic stories on research.splunk.com. For a full list of security content, check out the release notes on Splunk Docs.

Contributors

We would like to thank the following for their contributions to this post.

  • Teoderick Contreras
  • Rod Soto
  • Jose Hernandez
  • Patrick Barreiss
  • Lou Stella
  • Mauricio Velazco 
  • Michael Haag
  • Bhavin Patel
  • Eric McGinnis

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS

Detecting HermeticWiper

Show All Tags
Show Less Tags

Join the Discussion