HermeticWiper, analysis of the malware that hit Ukraine

HermeticWiper, analisi del malware che ha colpito l'Ucraina thumbnail

The Kremlin launched an attack on Ukraine in many forms, including that of the cyber warfare. Among the malware that has hit Kyiv since the beginning of the Russian invasion is the data wiper HermeticWiper, that the research team of Qualys he analyzed. To give us an idea of ​​how this cyberwar is being fought.

HermeticWiper, Qualys’ analysis of the data wiper that hit Ukraine

According to the researchers of the Qualys Research Team, The origin of HermeticWiper seems to be closely connected to the beginning of the Russia / Ukraine conflict ”. In fact the rData wipe ansomwarer which has been distributed since February 23, 2022.

But Moscow would have started preparing it much earlier. “The file we analyzed has a timestamp at ‘2021-12-28’. This wiper-ware got this name because the attackers used a code signing certificate issued to ‘Hermetica Digital Ltd’. This goes back to a small video game design company based in Cyprus with no ties to Russia that it claims to never having requested a digital certificateindicating possible identity theft “.

Code-signing from a legitimate company allows you to bypass the antivirus protections of the operating systems. But according to Qualys they arrived earlier “exploits that aid in the distribution of malware or by multiple distributed denial-of-service attacks to stop the protection services “. In fact, there have been hundreds of attacks on local government websites in Ukraine. The business was already been tested in Latvia and Lithuania, and then attacked Kyiv a few hours before the invasion.

HermeticWiper’s goal is to destroy a system’s master boot record (MBR). In many cases it uses the ‘Gift‘and once executed it obtains several permissions to erase the data on the computer disks: SeBackupPrivilege, SeDebugPrivilege SeLoadDriverPrivilege.

At this point the malware changes some values ​​by blocking various Windows services, which can act as an alarm bell for detention. By changing the registry keys, allows you to delete some files essential for the functioning of the computer.

You can better understand how to find and block this data wiper by following the instructions provided by Qualys, which you can find at this address.

Walker Ronnie is a tech writer who keeps you informed on the latest developments in the world of technology. With a keen interest in all things tech-related, Walker shares insights and updates on new gadgets, innovative advancements, and digital trends. Stay connected with Walker to stay ahead in the ever-evolving world of technology.