Russian troops entered Ukraine, the whole world is watching this situation with surprise and sadness. Before the invasion, numerous Ukrainian organizations getting hit with a sophisticated new disk-wiping malware. Mandiant is tracking this threat as ‘NEARMISS’ and ESET is tracking as ‘HermeticWiper’ and they reported that they found traces of the malware in hundreds of systems in Ukraine. According to their statement, ESET observed the first sample around 14h52 UTC on 23th of February. “The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months” ESET explained.
According to researches, malware being deployed against organizations in several industries in Ukraine and designed solely to damage the Master Book Record (MBR) on Windows systems, making them unbootable once compromised. The malware does not contain any propagation functionality and, according to several reports. The attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd., hence the wiper’s name (MD5: 94bc2ff3969d9775de508e1181318deb).
In January, Microsoft reported another similar malware targeting organizations in Ukraine. This malware was designed to overwrite and destroy the MBR too.
Currently, while the invasion continues, cyber attacks continue too. And most of the world stands against Russia about this attacks. Also the sanctions are increasing against Russia and with these situation, it is easy to understand that other nations will be the target of these cyber attacks. “Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis. Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine” Mandiant says about that.
All organizations and security teems should be aware of these threat. Events and incidents should be followed closely. We should work together with strong intelligence services that closely monitor threat groups to follow situation closer.
IoCs:
MD5 – 84ba0197920fd3e2b7dfa719fee09d2f
SHA-1 – 912342f1c840a42f6b74132f8a7c4ffe7d40fb77
SHA-256 – 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
MD5 – 3f4a16b29f2f0532b7ce3e7656799125
SHA-1 – 61b25d11392172e587d8da3045812a66c3385451
SHA-256 – 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591