# DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures

**[yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/](https://yoroi.company/research/diskkill-hermeticwiper-a-disruptive-cyber-weapon-targeting-ukraines-critical-infrastructures/)**

February 26, 2022

**Introduction**

During the early hours of Thursday 24 February 2022, Russia launched an attack on the
country of Ukraine due to the ongoing dispute over its possible inclusion within NATO
countries. This event has led to a tense geo-political climate within the eurozone.

All the shared Initial information shows that the attack by Russian troops was anticipated by a
series of cyber-attacks aimed at delaying communications and creating services interruptions
in IT infrastructures of Ukrainian political and military bodies.

The analyzed samples are connected to a new cyber tool dubbed DiskKill/HermeticWiper,
this dangerous malware was designed to make every disk unusable connected to a server
infected with the malicious code.


-----

According to the technical analysis of Yoroi CERT it has been observed the use of two
distinct variants of the sample: one developed by the cyber-warfare departments of GRU, on
23 February at 12:48:53 of Moscow’s time zone, a day before the invasion, meanwhile the
second one at 11:37:16 of Moscow’s time zone on 28 December 2021 58 days before the
start of offensive operations in the Ukraine territory.

CERT-Yoroi proceeded with an elevated urgency to analyze samples related to the current
invasion retrieved from the European intelligence community.

**Technical Analysis**

HermeticWiper is a cyber weapon aimed at disrupting the victim system and making
postmortem forensic analyses harder. It has been published on VirusTotal platform the day
2022-02-23 at 18:14:17 UTC

The sample has the following static information

Hash 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

Threat DiskKill/HermeticWiper


Brief
Description


Wiper used in the Cyberattacks against Ukraine


SSDEEP 1536:sBOoa7Nn52wurilmw9BgjKu1sPPxaSLyqC:sBOoa7P2wxlPwV1qPkSuqC

Table 1: static information about the sample
Once executed, it tries to manipulate the privileges using the technique T1134 described in
MITRE ATT&CK and elevate itself to “SeBackupPrivilege” and “SeLoadDriverPrivilege”.

The code performing this manipulation is the following:


-----

**Figure 1: Evidence of Privilege Escalation**
When these privileges are successfully gained, the malware can execute all its malicious
operations, and the most disruptive is the disk and backup manipulation. DiskKill abuses
legitimate drivers to manipulate and modify the disks. These drivers are located inside the
sample’s resources as you can see from the following code:


-----

Figure 2: Loading

the drivers
RCDATA Resource contains these drivers compiled for both 32 and 64-bit architectures, in
order to adapt the right execution to the victim machine. Each resource is compressed by
using ms-compress. In particular, the driver is a legit component of the “EaseUS Partition
Master” tool, a widely used disk management utility. This allows attackers to manipulate and
corrupt the accesses to the disk drives leveraging the LOLbas attack methods.

Figure 3: Content of RCDATA
After loading the necessary drivers, the malware stores the just extracted file into the special
path %System32%, before using it:


-----

Figure 4: Disabling Shadow copy
Then, the sample proceeds to disable the dump feature in case of a crash modifying the
registry key “HKLM\SYSTEM\CurrentControlSet\Control\CrashControl”

Figure 5: Disabling the CrashDump feature
Another interesting capability presented by the sample is to the Shadow Copy service
disabling, in order to avoid even a partial recovery of the files and the

Figure 6: Disabling Shadow copy


-----

The destructive capability of the malware is tampering and wiping the disk data, by carrying
out a cycle of 100 iterations on the “\\.\PhysicalDrive” object who it can access thanks to the
permissions it gained before thanks to DeviceIoControl:

Figure 7: Gaining access to the Physical Driver
Once the malware gets access to the disk, it checks if it uses NTFS or FAT file systems,
through parsing the table formats. After that, depending on the case it starts to compromise
the drives by using the functions “CryptAcquireContextW” and “CryptGenRandom” from the
Microsoft Crypto API.


-----

Figure 8: Evidence of the access to the NTFS and FAT partitions
Another interesting feature of the sample is the use of multi-threaded functions to execute all
the malicious operations, efficiently parallelizing every malicious activity on the disk.

Figure 9: Multithread uses

**Conclusion**

HermeticWiper is a new type of sabotage malware aimed to slowing down the
communications among the critical infrastructures in Ukraine. In this moment, there are no
evidence of cyber-attacks of this kind are targeting other parts of the world, anyway, it is
comprehensible that organizations need to re-evaluate their current cyber-risk, considering
the fact that we are possibly entering into a larger cyber operation.


-----

However, during these last critical hours, where the real war has been anticipated by the
spreading of sabotage cyber weapons, like DDoS attacks and wipers, like this one just
analyzed, in the other part of the world, many companies and organizations are shocked and
are going into a panic. The cyber defender job is lead by ethics, and critical thinking to
analyze and provide the strategy to protect our customers from cyber-attacks in the best way,
trying to limit the panic and the confusion created by such attacks, and at the same time by
providing actionable information for our customers, and the security community.

**Indicator of Compromise**

1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
96b77284744f8761c4f2558388e0aee2140618b484ff53fa8b222b340d2a9c84
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

**Yara Rules**
```
rule hermetic_wiper { 
  meta: 
    description = "Yara rule for the detection of DiskKill/HermeticWiper sample" 
    author = "Yoroi Malware ZLab" 
    last_updated = "2022-02-24" 
    tlp = "WHITE" 
    category = “informational” 
  strings: 
    $a =
{458c660fd6459cffd350ffd78bf885ff0f84f70000006a008d8578ffffff506a60576a006a006864000900
  condition: 
    $a and uint16(0) == 0x5A4D 
}

```
_This blog post was authored by Luigi Martire, Carmelo Ragusa, and Luca Mella of Yoroi_
_Malware ZLAB_


-----