MAR-10375867-1.v1 – HermeticWiper
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
CISA received seven files for analysis. Five of these files were identified as the HermeticWiper, all digitally signed by Hermetica Digital Ltd. The other two files are 32-bit and 64-bit copies of the EaseUS Partition Master NT Driver (EPMNTDrv), all digitally signed by Chengdu Yiwo Technology Development Co., Ltd with an expired certificate issued in 2012. The wiper contains four copies of compressed EPMNTDrv in its resource section. Each EPMNTDrv targets different versions and architectures of the Windows operating system (OS). Upon execution of the wiper, it extracts, expands, registers the driver with a service key and starts the service immediately. After the driver service is started and the driver process lives in memory, the service key and associated driver files are deleted. The driver process enables the wiper to conduct read and write directly on the disk.
The wiper overwrites the Master boot record (MBR), New Technologies File System (NTFS) boot sector and data and attributes the system relies on for a system restoration. The wiper sets a sleep timer, which can be its first numeric input. If the wiper runs with the administrative privilege or if the wiper's name begins with the 'c' character, the expiration of the timer will trigger a forced system shutdown followed by an immediate reboot, rendering the system useless at that point. Before the timer expires, the wiper continues the fragmentation process on the disk and overwrites the File Allocation Table (FAT) file system Boot Sector or the NTFS Master File Table (MFT) and its backup in $MFTMirr, user's files from user's directories and the attributes and data contents of the Windows Event Logs with random bytes. The wiper will stop the fragmentation, locate the allocated clusters and overwrite them with random bytes. Finally, the wiper overwrites itself with random bytes and the wiping process is terminated.
Two of the 'newer' HermeticWiper compiled in 2022 will detect the role of the infected system. If the system is a Domain Controller, the wiper will wait for three minutes to complete the overwriting of the MBR, boot sector and system restore directory attributes and data with random bytes before it exits. The domain controller continues to function until the next reboot.
For a downloadable copy of IOCs, see: MAR-10375867-1.v1.stix
Submitted Files (7)
Additional Files (6)
This file is identified as a 32-bit HermeticWiper. The resource section of the HermeticWiper is embedded with four SZDD compressed driver files as displayed in Figure 1. Depending on the OS major version and system architecture type (32-bit/64-bit), the corresponding SZDD compressed file will be extracted into the System32 directory and expanded to a driver file <random-2-characters>dr.sys (Figures 2-4). The expanded file is a copy of the EaseUs Partition Manager (epmntdrv.sys). The wiper enables SeLoadDriverPrivilege and registers the driver as a system service. The new system service starts immediately and the driver process runs in memory. Then the wiper immediately removes the following registry key and deletes the SZDD file and the expanded driver file from System32 in order to remove its tracks on the victim's system.
--Begin sample device service installed--
In preparation, the wiper disables the crash dump service by disabling the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled key. In addition, the wiper disables the Volume Snapshot Service (VSS).
In order to run on user mode, the wiper enables SeBackupPrivilege. If the wiper's name begins with a 'c', it will reconstruct the "SeShutDownPrivilege" string and enable it (Figure 5). The SeShutDownPrivilege is necessary for the wiper when it runs in user mode, to be able to execute InitiateSystemShutdownExW, which is configured to force applications to close, shutdown the system without warning and immediately force a reboot (Figure 13, line 199). The SeShutDownPrivilege is not needed if the wiper runs on administrative privilege; the system will shutdown and reboot regardless of the wiper's name.
The wiper uses the same method to locate and wipe files. First, it locates target files and stores their disk locations into a customized structure type. Meanwhile, a random buffer is generated using CryptGenRandom (Figure 7) for each group of targeted files and stored into the same structure. The stuffed structure is passed to a wipe function, which runs as a separated process thread later in the program (Figure 6).
The wiper coordinates the destruction process into groups, each handled by its own process thread. First, the wiper creates a thread to overwrite itself (Figure 13, lines 173, 209). This thread is passed to WaitForMultipleObjects which waits till the very end when the overwrite occurs.
Next, the wiper makes the system unusable and cannot be revived. First, the wiper locates the MBR and the boot sector of all available physical drives from 0 to 100 (Figure 13, lines 178-179). Then it generates a 4096 byte buffer filled with random bytes. 4096 is the Windows default allocation size (Figure 8). The destruction of MBR and boot sector render the OS unable to reboot (Figure 13, line 213).
Then, the wiper makes it impossible to restore the system by overwriting the $I30 and the $DATA attributes of the C:\System Volume Information directory (Figure 13, lines 183 and 213). The C:\System Volume Information directory contains system restore points and information used by VSS.
--Begin target attributes--
Then the wiper starts a low priority process thread for fragmentation, skipping the following Windows system directories when enumerating files (Figure 13, line 203 and Figure 9). User files that are not in the following directories will be fragmented using FSCTL_GET_RETRIEVAL_POINTERS to obtain the file's allocation and location on disk. The output is randomized and passed to FSCTL_MOVE_FILE to relocate the file's virtual clusters (Figure 10).
--Begin skipped directories--
In this newer version of HermeticWiper that was compiled in 2022 ensures the wiper will bring down a Domain Controller in the shortest possible time. First, the wiper checks for the presence of C:\Windows\SYSVOL using GetFileAttributesW (Figure 13, line 220). The SYSVOL directory indicates the victim's system is a Domain Controller Server, which is responsible for security authentication requests within a domain. In this case, the wiper waits for three minutes to ensure the destruction of the MBR, boot sector and data requires for a system restore (that already happened in the thread created in Figure 13, line 211). The wiper process and all its process threads exit (Figure 13, lines 220-224). The domain controller continues to function until the next reboot.
The second stage of data wipe continues on systems that are not identified as a Domain Controller server (Figure 14) .
The wiper will locate the MFT and its backup in the $MFTMirr file in NTFS, or the Boot Sector in a FAT file system (Figure 11) of all available physical drives from 0 to 100 and store them in a customized structure to be wiped later (Figure 14, lines 228-229, 266). A buffer with random bytes is also generated and passed to the structure.
Then it locates $Bitmap (contains clusters allocation statuses) and $LogFile (contains journals of metadata transactions) from all available logical drives, such as "C:\" and "D:\" (Figure 14, line 232) and stores them in the same customized structure for these data to be wiped later (Figure 14, line 266).
Next, it recursively locates users files from the user's directory, avoiding the AppData directory and user filename that contains the "ntuser" string. It also recursively locates files under the user's Desktop and My Document directory (Figure 14, lines 236, 239). These locations are also stored into the same customized structure to be wiped later (Figure 14, line 266).
The C:\Windows\System32\winevt\Logs directory contains all Windows events logs. The locations of $I30 (includes $INDEX_ROOT and $INDEX_ALLOCATION) as well as locations of $DATA attributes are collected into the same customized structure for these data to be wiped later (Figure 14, lines 242, 266).
The wiper terminates the data fragmentation in 30 seconds, then calls the same function utilizing FSCTL_GET_VOLUME_BITMAP to obtain occupied clusters in a volume. This information is passed to a separated write structure to be wiped by random buffer later (Figure 14, line 267).
The HermeticWiper accepts up to two optional numeric inputs (Figure 15). The first numeric input is used to set the first sleep timer that triggers InitiateSystemShutdownExW in a process thread (Figure 13, line 197). If no input is provided, the resulting 34 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 13, lines 187-192) before passing to the sleep timer. That randomization in sleep time is negligible when measuring in minutes. The second numeric input, if provided, will be compared with the first input and the smaller value will be used. If no input is provided, the resulting 19 minutes will be used and the least significant four digits in milliseconds are randomized (Figure 14, lines 244-253). This second sleep time keeps the main wiper thread alive.
This HermeticWiper variant is signed with the following digital certificate issued by Hermetica Digital Ltd as displayed below:
--Begin Digital Certificate--
X509v3 Subject Key Identifier:
X509v3 Certificate Policies:
Authority Information Access:
X509v3 Basic Constraints: critical
Figure 1 - The resource section contains four versions of compressed epmntdrv.sys, targeting 32-bit and 64-bit Windows OS.
Figure 2 - One of the four compressed driver files is extracted from the resource section based on the OS major version and system architecture (x86/x64).
Figure 3 - The SZDD is extracted and decompressed by LZOpenFileW followed by LZCopy. The decompressed file is given a .sys extension, registered as a driver service which is started immediately. The installed service key, the SZDD compressed resource and the .sys files are deleted afterwards.
Figure 4 - This algorithm generates a four-character string as the name of the driver and its associated service key. The name contains two random characters and ends with a static string "dr". The indexes to select the first and second character are computed differently, with the variable v12 in the screenshot corresponding to the first character and v12 corresponding to the second character.
Figure 5 - The string "SeShutDownPrivilege" that passed to LookupPrivilegeValueW will be deobfuscated if the wiper's name begins with the 'c' character. Enabling SeShutDownPrivilege allows the wiper with only user privilege to shutdown the system using InitiateSystemShutdownExW. The SeBackupPrivilege allows the retrieval of file content, skipping the Access Control List (ACL) security check. This privilege is enabled by default to permit the wiper that runs with only user privilege to read and write any files.
Figure 6 - Snippet of the function that overwrites saved locations on disk using the 4096 bytes buffer filled with random data generated by CryptGenRandom. This function is used to wipe different groups of data as follows: Figure 13, line 207 (to erase the malware file), Figure 13, line 211 (to erase MBR, MBS and C:\System Volume Information), Figure 14, line 266 (to erase MFT, $Bitmap, $Logfile, users files and Windows Event Logs) and Figure 14, line 267 (to erase allocated clusters).