Amid Russia-Ukraine war, cybersecurity experts have witnessed a sudden increase in the number of wiper malware deployments.
Since February 24, Ukrainian security experts have unearthed at least seven new types of malwares employed by attackers to target Ukraine: AcidRain, WhisperGate, WhisperKill, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero.
Earlier this week, AT&T cybersecurity published a blogpost detailing the different types of wiper malware which we have covered below.
WhisperKill
On the night of January 14, anonymous hackers attempted to secure access to and deface the websites of more than 70 Ukrainian government agencies, according to Ukraine’s security service. The malware successfully defaced 22 websites and severely damaged six.
How it operates: The malware downloads a payload that wipes the Master Boot Record (MBR), then downloads a malicious file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the compromised devices.
HermeticWiper
A month after, on February 23rd 2022, ESET Research discovered a new Wiper called HermeticWiper being used against hundreds of Ukrainian systems. The hackers then used a shell company to issue a certificate that allows bypassing detection capabilities, such as Microsoft Defender SmartScreen and built-in browser protections.
The malware collects all the data it wants to delete to maximize the impact of the wiping, it uses the EaseUS Partition Master driver to overwrite the selected parts of the disk with random data.
IsaacWiper
A day after the initial assault with HermeticWiper, on February 24th, 2022, a new wiper was used against the Ukrainian government, as reported by ESET, without any significant similarities to the HermaticWiper used the day before.
This wiper malware iterates through the filesystem, enumerates files and overwrites them. The behavior is similar to ransomware activity, but in this case, there is no decryption key. Once the data has been overwritten, it is lost.
AcidRain
On March 15, a new strain of wiper malware called AcidRain was discovered by researchers at SentinelLabs. AcidRain wiper was used in an attack against the Viasat KA-SAT satellite broadband service provider.
The attacker gained access to the management infrastructure of the provider to deploy AcidRain on KA-SAT modems used in Ukraine.
The wiper employed was the ELF MIPS wiper targeting Viasat KA-SAT modems, which aimed to firstly overwrite any file outside of the any common *nix installation: bin, boot, dev, lib, proc, sbin, sys, sur, etc. to then delete data from devices.
CaddyWiper
The first version of CaddyWiper was unearthed by ESET researchers on March 14 when it was used against a Ukrainian bank. Then it was employed again during the attack on the Ukrainian energy company on April 12.
The Wiper overwrites files on the computer with null byte characters, making them unrecoverable. This malware can be executed with or without administrator privilege. In both cases, it causes lethal damage to the target machine.
DoubleZero
On March 22, 2022 CERT-UA reported a new wiper used against their infrastructure and enterprises. Dubbed DoubleZero, the wiper was distributed as a ZIP file containing an obfuscated .NET program.
The wiper erases files in two ways: by overwriting them with zero blocks of 4096 bytes (FileStream.Write method) or using NtFileOpen, NtFsControlFile API calls (code: FSCTL_SET_ZERO_DATA).
To prevent further assaults, researchers recommended keeping systems up to date and sharing knowledge regarding cybersecurity. In addition, attacks can be avoided by having periodic backup copies of key infrastructure available.