New data-wiping malware used in destructive attacks on Ukraine

Malware

Cybersecurity firms have found a new data wiper used in destructive attacks today against Ukrainian networks just as Russia moves troops into regions of Ukraine.

A data wiper is malware that intentionally destroys data on a device to make the data unrecoverable and for the operating system to no longer work correctly.

This morning, Ukrainian government agencies and banks were hit with DDoS attacks that took websites offline.

Soon after, cybersecurity firms Symantec and ESET disclosed that they found a new destructive data wiper malware also used in cyberattacks today against Ukrainian organizations.

Symantec shared the hash of the new data-wiper on Twitter, which is currently being detected by only 16/70 security engines on VirusTotal.

Symantec tweet

“According to Symantec Threat Hunter telemetry, they have discovered new wiper attacks in Ukraine, Latvia, and Lithuania. Targets have included finance and government contractors,” Vikram Thakur, Technical Director at Symantec Threat Intelligence, shared in a statement to BleepingComputer.

ESET also posted a detailed Twitter thread containing a technical analysis of the new data wiper and how they have seen it deployed.

ESET tweet

According to ESET, the new data wiper is detected as Win32/KillDisk.NCV and was seen deployed on hundreds of devices on Ukrainian networks today.

While the cyberattacks occurred today, ESET notes that the malware was compiled on 12/28/21, indicating that the attacks may have been planned for some time.

“The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months,” tweeted ESET.

From an analysis of the malware by BleepingComputer, the wiper contains four embedded drivers named DRV_X64, DRV_X86, DRV_XP_X64, and DRV_XP_X86, as shown below.

Embedded drivers
Embedded drivers
Source: BleepingComputer

These drivers are compressed using the Windows ‘compress’ command but once expanded, they are signed by ‘CHENGDU YIWO Tech Development Co., Ltd.,’ the owners of the EASUS data recovery and disk management software developers.

Signature of embedded drivers
Signature of embedded drivers
Source: BleepingComputer

When the malware is executed, the wiper will install one of these drivers as a new Windows service.

service created
Service created by the data wiper
Source: BleepingComputer

Strings inside the drivers indicate that they belong to the EASUS Partition Manager program.

Disk
DeviceHarddisk%uPartition0
DeviceEPMNTDRV
DosDevicesEPMNTDRV

ESET believes that these EASUS drivers have been coopted to corrupt the device’s files before the malware reboots the computer.

Security researcher Silas Cutler has confirmed that the data wiper will also trash the device’s Master Boot Record, making the device unbootable.

ESET warned that in at least one of these attacks, it was not targeted at individual computers and was deployed directly from the Windows domain controller.

This indicates that the threat actors had access to these networks for some time.

“In one of the targeted organizations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server,” explains ESET.

For those interested in more technical details, you can follow SentinelOne researcher J. A. Guerrero-Saade’s analysis on Twitter.

Second wiper used in attacks on Ukraine

This data-wiper is the second one used against Ukrainian networks in the last two months.

In January, Microsoft disclosed that a destructive data-wiping malware disguised as ransomware was used in attacks against multiple Ukrainian organizations.

The January data-wiper was dubbed ‘WhisperGate’ and impersonated a ransomware attack, even targeting specific file extensions and dropping a ransom note.

However, this malware was actually a destructive data wiper that corrupts files and wipes the device’s Master Boost Record, making it impossible to boot into Windows or access files.

While the attacks have not been attributed to Russia, data wipers have been a tool used by Russian state-sponsored threat actors in the past.

A data-wiping attack was conducted in 2017 when threat actors targeted thousands of Ukrainian businesses with the NotPetya ransomware.

In 2020, the USA formally indicted Russian GRU hackers believed to be part of the elite Russian hacking group known as “Sandworm” for the NotPetya attacks.

Update 2/23/22 10:04 PM EST: Added statement from Symantec.

Leave a Reply