Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Detecting HermeticWiper
Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.
As stated in our previous threat advisory STRT-TA02 in regards to destructive software, past historical data suggests that for malicious actors to succeed in long-standing campaigns they must improve and add new ways of making their payloads stealthier, resistant, and damaging. HermeticWiper introduces some unique features, applying destructive actions on compromised hosts. In addition to other commonly known wiper destructive features, HermeticWiper also presents the following unique behaviors:
- Interacts with the system via signed driver
- Disables crash dump functionality (Anti-Forensic)
- Modifies “GlobalFolderOptions” registry at file permission level (NTFS)
- Checks for FAT (Windows XP) and NTFS (Windows OS newer than XP using NTFS)
- Corrupts (Destroys) MBR and NTFS file system
- Reported to have been deployed via Group Policy Object (Windows Active Directory Group Policy Object)
This payload is another destructive tool in the ongoing campaign which has included DDoS attacks, web defacements, MDM attacks, Microsoft SQL attacks and now two known as of yet destructive payloads.
STRT has also released a new analytic story covering HermeticWiper itself. We have collected information about the observed vectors in relation to HermeticWiper according to several security vendors including Symantec, ESET, Sentinel One. The following diagram shows a visual flow of the observed attack vectors per tactic.
As seen above malicious actors are gaining initial access by either compromising publicly exposed services or via spear phishing, following the establishment of persistence and privilege escalation via web shells or the use of schtasks, PowerShell payloads, and finally deploying additional payloads via certutil.exe or Powershell which include genuine wiper payloads and ransomware decoy binaries seeking to distract and delay defense and containment from defenders. Here is a brief breakdown of HermeticWiper features and detections.
HermeticWiper Analysis
Signed driver (hermetic name reference)
Dropping Driver Component Base on Windows Version (XP or above)
This wiper will first adjust its token privileges with “SeShutdownPrivilege” and “SeBackupPrivilege” for later purposes like initiating shutdown or accessing files with high-security descriptor context.
It contains 4 compressed drivers in its RSRCsection. It will drop one of those drivers depending on the Windows version or OS architecture of the compromised host by using VerifyVersionW API. Below is the summary table of the RSRC TYPE ID and the name of its rsrc entry for each driver.
RSRC TYPE ID | RSRC NAME | Description |
RCDATA | DRV_X64 | Driver for x64 bit architecture |
RCDATA | DRV_X32 | Driver for x32 bit architecture |
RCDATA | DRV_XP_X64 | Driver for lower version OS (e.g XP) x64 bit architecture |
RCDATA | DRV_XP_X64 | Driver for lower version OS (e.g XP) x32 bit architecture |
Then it will generate random characters based on the current process ID of its running process. Once the wiper parses the needed rsrc entry, and has a filename, It will locate the C:\windows\system32\Drivers folder to drop its driver component.
The driver extracted from the rsrc section of this wiper is in LZW compressed (SZDD file format). The screenshot below shows how it uses LZ API to decompress that to retrieve the actual driver binary file.
Interestingly during analysis, we found out that it drops both the compressed driver (<4 char random name> without file extension) and also the actual driver (<4 char random name> with .sys file extension) in C:\windows\system32\Drivers. Then it will delete the compressed version afterwards.
Disable Crash Dump
It also has some features where it disables the generation of crash dumps of the compromised host that serve as anti-forensic techniques. This is done by modifying a registry as shown in the screenshot below:
Loading The Driver
The way it loads its driver component is by creating a service entry for that file. First It will adjust its token privilege with “SeLoadDriverPrivilege”. If the service related to its driver does not exist it will just create and start a new service for it using CreateServiceW() and StartServiceW() API. If it already exists but is not active, it will modify the service config of that kernel driver to DEMAND_START to start the service. Below is the code, how it uses ChangeServiceConfigW() API to change the status of its driver if it is not active. This driver is a legitimate component of the EaseUS Partition Master application. This file was leveraged by this wiper to interact and retrieve storage device information for its destructive purposes.
Corrupting Boot Sectors
The wiper starts to enumerate all possible physical devices connected to the compromised host (range 0-100 device). Below is the code how it enumerates all the devices and retrieves partition information of each device using DeviceIoControl() API. The function named “mw_GetDeviceNumberAndGeometry” is the function it uses to check if the physical device is “FILE_DEVICE_DISK” type or not.
It also checks what File System type is present at Device, if it is either “NTFS” OR “FAT”. This checking will help the wiper to enumerate all of its partitions to corrupt all possible boot records on it. It also looks for known NTFS files like $Bitmap, $LogFile, $DATA, and many more to be overwritten as part of its file destruction payload.
Below is the code of the Volume Boot Record partition before and after the infection of Hermetic wiper to the compromised host.
Other Registry Modification
It also has a thread that will modify certain GlobalFolderOptions registry related to showing compressed files and information tips.
Trigger Shutdown
Another thread of this malware is responsible for shutting down the compromised host to make the corruption of boot sectors take effect.
Other Behaviors
- Check the C:\Windows\SYSVOL attribute using GetFileAttributeW() API. If the API returns an invalid handle(possible return if the folder path does not exist) or if it is a folder path it will continue the execution if not exit the process.
- Disables the VSS service which is related to volume shadow copy service to disable creation of backup copies.
It also has a function that can dismount or lock a disk volume.
PartyTicket Analysis
During eset analysis in this incident, they found another binary where they named it as “Hermetic Ransom”. This is a Golang compiled ransomware binary where it tries to encrypt files in the compromised host. Below is the screenshot of its code snippet where it renames the encrypted files with “.encryptedJB” file extension.
It will also drop a ransomware note in the desktop named as “read_me.html” to inform the user that their machine is compromised and encrypted.
Aside from its encryption features, this binary uses strings to its code function name that reference US President Biden.
Detections
The following detections are focused specifically on HermeticWiper, Splunk STRT has a significant number of analytic stories that cover Ransomware which should also be considered when detecting and hunting for these types of threats.
Windows File Without Extension In Critical Folder
This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension.
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\System32\\drivers\\*", "*\\syswow64\\drivers\\*") by _time span=5m Filesystem.dest Filesystem.user Filesystem.file_name Filesystem.file_path Filesystem.process_guid Filesystem.file_create_time | `drop_dm_object_name(Filesystem)` | rex field="file_name" "\.(?<extension>[^\.]*$)" | where isnull(extension) | join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=5m Processes.process_name Processes.dest Processes.process_guid Processes.user | `drop_dm_object_name(Processes)`] | stats count min(_time) as firstTime max(_time) as lastTime by dest process_name process_guid file_name file_path file_create_time user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |
Windows Raw Access To Master Boot Record Drive
This analytic is to look for suspicious raw access read to the device where the master boot record is placed.
`sysmon` EventCode=9 Device = \\Device\\Harddisk0\\DR0 NOT (Image IN("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer Image Device ProcessGuid ProcessId EventDescription EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |
Windows Disable Memory Crash Dump
The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump.
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where (Registry.registry_path=“*\\CurrentControlSet\\Control\\CrashControl\\CrashDumpEnabled”) AND Registry.registry_value_data=“0x00000000" by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid Registry.registry_key_name | `drop_dm_object_name(Registry)` |join process_guid [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` | fields _time dest user parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name] | table _time dest user parent_process_name parent_process process_name process_path process process_guid registry_path registry_value_name registry_value_data registry_key_name |
Windows Modify Show Compress Color And Info Tip Registry
| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced*" AND Registry.registry_value_name IN("ShowCompColor", "ShowInfoTip") by _time span=1h Registry.dest Registry.user Registry.registry_path Registry.registry_value_name Registry.registry_value_data Registry.process_guid | `drop_dm_object_name(Registry)` |rename process_guid as proc_guid |join proc_guid, _time [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes by _time span=1h Processes.process_id Processes.process_name Processes.process Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_guid | `drop_dm_object_name(Processes)` |rename process_guid as proc_guid | fields _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data] | table _time dest user parent_process_name parent_process process_name process_path process proc_guid registry_path registry_value_name registry_value_data |
This analytic is to look for suspicious registry modification related to file compression color and information tips.
Name | Technique ID | Tactic | Description |
Execution | The following analytic identifies command-line arguments where cmd.exe /c is used to execute a program | ||
Lateral Movement | The following analytic identifies executable files (.exe or .dll) being written to Windows administrative SMB shares (Admin$, IPC$, C$) | ||
Defense Evasion | This analytic is to detect a loading of dll using regsvr32 application with silent parameter and dllinstall execution. | ||
Execution | This analytic will identify suspicious executable or scripts (known file extensions) in list of suspicious file paths in Windows. | ||
Persistence, Privilege Escalation | The following analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software. | ||
Lateral Movement | This analytic looks for the presence of suspicious commandline parameters typically present when using Impacket tools. | ||
Defense Evasion | The following analytic identifies rundll32.exe loading an export function by ordinal value. | ||
Defense Evasion | The wevtutil.exe application is the windows event log utility. This searches for wevtutil.exe with parameters for clearing the application, security, setup, powershell, sysmon, or system event logs. | ||
Windows Raw Access To Disk Volume Partition(New) | Impact | This analytic is to look for suspicious raw access read to device disk partitions of the host machine. | |
Windows Modify Show Compress Color And Info Tip Registry(New) | Defense Evasion | This analytic is to look for suspicious registry modification related to file compression color and information tips. | |
Windows Disable Memory Crash Dump(New) | Impact | The following analytic identifies a process that is attempting to disable the ability on Windows to generate a memory crash dump. | |
Windows File Without Extension In Critical Folder (New) | Persistence, Privilege Escalation | This analytic is to look for suspicious file creation in the critical folder like "System32\Drivers" folder without file extension. | |
Windows Raw Access To Master Boot Record Drive(New) | Impact | This analytic is to look for suspicious raw access read to drive where the master boot record is placed. |
Mitigation
Many of these exploits can be prevented by following CISA guides for preparation and hardening of systems, applications, and networks, including MDM attacks as well. There is also a free HermeticRansom/PartyTicket decryptor by AVAST and CrowdStrike. The following table shows Splunk coverage of the aforementioned attack vectors in this ongoing campaign.
Attack Vectors | Tactic | TTP | Splunk Coverage |
Microsoft SQL Server | Privilege Escalation | ||
Webshell | Persistence | ||
Tomcat | Initial Access | ||
Use of certutil.exe | Command & Control | ||
Use Schtasks to execute payloads | Execution, Persistence, Privilege Escalation | ||
Powershell payload execution | Execution | ||
Deployment via GPO | Defense Evasion, Privilege Escalation | ||
Ransomware Decoys | Defense Evasion | Ransomware Investigate & Contain | |
Spearphishing | Initial Access |
HermeticWiper Analytic Story is available in ESCU release v3.36.0
Also available from Splunk SOAR for automated response against these threats:
- Ransomware Investigate & Contain
- Suspicious Email Domain Enrichment
- Crowdstrike Malware Triage
Learn More
You can find the latest content about security analytic stories on research.splunk.com. For a full list of security content, check out the release notes on Splunk Docs.
Contributors
We would like to thank the following for their contributions to this post.
- Teoderick Contreras
- Rod Soto
- Jose Hernandez
- Patrick Barreiss
- Lou Stella
- Mauricio Velazco
- Michael Haag
- Bhavin Patel
- Eric McGinnis
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
