A new data wiper malware has been observed deployed confronting an unnamed Ukrainian regime network, a mean solar day after destructive cyber attacks struck multiple entities in the country preceding the start of Russian federation’southward military invasion.
Slovak cybersecurity firm ESET dubbed the new malware “IsaacWiper,” which it said was detected on February 24 in an organization that was non affected by HermeticWiper (aka FoxBlade), another information wiping malware that targeted several organizations on February 23 as part of a sabotage performance aimed at rendering the machines unusable.
Farther analysis of the HermeticWiper attacks, which infected at least five Ukrainian organizations, accept revealed a worm constituent that propagates the malware across the compromised network and a ransomware module that acts equally a “lark from the wiper attacks,” corroborating a prior report from Symantec.
“These destructive attacks leveraged at least three components: HermeticWiper for wiping the information, HermeticWizard for spreading on the local network, and HermeticRansom interim as a decoy ransomware,” the company said.
In a dissever analysis of the new Golang-based ransomware, Russian cybersecurity company Kaspersky, which codenamed the malware “Elections GoRansom,” characterized it as a last-infinitesimal operation, adding it was “likely used every bit a smokescreen for the HermeticWiper set on due to its non-sophisticated style and poor implementation.”
As an anti-forensic mensurate, HermeticWiper is too designed to hinder analysis by erasing itself from the disk by overwriting its ain file with random bytes.
ESET said information technology hasn’t been able to find “whatever tangible connexion” to attribute these attacks to a known threat actor. But the malware artifacts unearthed so far brand it articulate that the intrusions had been planned for several months, with the targeted entities suffering compromises well in advance of the wiper’s deployment.
“This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the lawmaking-signing document upshot date of April thirteen, 2021; and the deployment of HermeticWiper through the default domain policy in at to the lowest degree ane instance, suggesting the attackers had prior access to one of that victim’southward Active Directory servers,” said Jean-Ian Boutin, ESET head of threat inquiry.
Also unknown are the initial access vectors used to deploy both the wipers, although it’s suspected that the attackers leveraged tools similar Impacket and RemCom, a remote access software, for lateral movement and malware distribution.
Furthermore, IsaacWiper shares no code-level overlaps with HermeticWiper and is substantially less sophisticated, even every bit information technology sets out to enumerate all the physical and logical drives earlier proceeding to carry out its file wiping operations.
“On February 25, 2022, attackers dropped a new version of IsaacWiper with debug logs,” the researchers said. “This may indicate that the attackers were unable to wipe some of the targeted machines and added log letters to empathise what was happening.”
Microsoft, which is tracking HermeticWiper under the name FoxBlade (and HermeticRansom as SonicVote), said the “intended objective of these attacks is the disruption, degradation, and devastation of targeted resources” in Ukraine.
The infections impacted “hundreds of systems spanning multiple government, information technology, fiscal sector, and free energy organizations predominantly located in or with a nexus to Ukraine,” it noted.
The tech giant’due south Threat Intelligence Centre (MSTIC) has attributed the attacks to an emerging threat cluster designated as DEV-0665, pointing out its lack of affiliation to a previously known threat activity group. It’south worth noting here that the actor responsible for the WhisperGate wiper attacks in Jan is known as DEV-0586.
Assigning IsaacWiper-related intrusions the moniker Lasainraw, Microsoft likewise characterized them as a “limited destructive malware attack,” adding it’southward “continuing to investigate this incident and has not currently linked information technology to known threat activity.”
Found this article interesting? Follow THN on Facebook, Twitter
and LinkedIn to read more sectional content we post.