ESET Finds Second Wiper Malware Affecting Ukrainian Systems
Security firm ESET says it has detected multiple forms of wiper malware in Ukraine. In addition to HermeticWiper, the company also found the IsaacWiper malware, which targeted Ukrainian government agencies.
The company’s security researchers have released more details about the wiper malware it discovered in Ukraine last week. Then ESET and Symantec found a malware they called HermeticWiper. It affects systems of Ukrainian companies and removes itself after those systems by overwriting its own files with random data. According to ESET, this is to prevent researchers from getting a better look at the malware.
HermeticWiper’s initial entry is not yet known, but ESET confirms what it said last week: the malware was rolled out across networks via Active Directory. While ESET first talked about “several hundreds of infections,” it now says it’s encountered the wiper “at least at five companies.” An attack with HermeticWiper consists of three components. First, the wiper itself renders a system unusable by overwriting data. The second component is a ransomware component called HermeticRansom. It was written in Go and would be used in a separate campaign. “This ransomware was deployed at the same time as HermeticWiper, possibly to hide the wiper,” the company said. The third component is HermeticWizard, a worm component that allows the wiper to move through local networks via SMB and WMI.
In addition to HermeticWiper, ESET discovered a second destructive malware that it calls IsaacWiper. It would mainly target government institutions in Ukraine, but it is not clear how many of them have been affected. It is also unknown how it comes in from IsaacWiper. ESET says the code doesn’t match HermeticWiper and the malware is “much less sophisticated.” IsaacWiper is said to have struck Ukraine since February 24, but according to ESET, the malware was already on some systems as early as October.
ESET says the malware struck hours prior to the Russian invasion of Ukraine. The company also has evidence that the malware had been on its systems for months before it hit. Despite this, ESET does not want to make a public attribution of who sent the malware. The code would not match any known malware already in the company’s systems, and no link to known threat actors was found.