eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket

Recently, there have been multiple reports of new wiper malware observed targeting Ukrainian organizations as part of cyber warfare stemming from the ongoing Russia-Ukraine conflict. This new wiper malware, also known as HermeticWiper, was first detected in February 2022, and was deployed after a wave of multiple Distributed Denial of Service (DDoS) attacks launched by Russian threat actors against Ukrainian law enforcement and government agencies.

eSentire’s Threat Intelligence team has performed a technical malware analysis on HermeticWiper and PartyTicket. This technical analysis provides a detailed breakdown of how HermeticWiper fulfills its objective of accessing the Physical Drives and encrypting the targeted filetypes in the host device and network.

With the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new malware in the ongoing hybrid war and improve their malware development capabilities to evade detections.

Case Study

The destructive malware dubbed as ‘HermeticWiper’ by SentinelLabs was first detected by researchers at ESET on February 23^rd, 2022, at 10am EST. Five hours later, the Cyber Police of Ukraine reported DDoS attacks on several Ukrainian government agencies, including Cabinet of Ministers of Ukraine, Verkhovna Rada (unicameral parliament of Ukraine), Security Service of Ukraine, Ministry of Foreign Affairs, and other Ukrainian government organizations.

The reports stated that the DDoS attacks had been ongoing since February 15^th and linked the attacks, including numerous phishing attempts, to Russian threat actors. As part of these attacks, HermeticWiper was installed on hundreds of machines in Ukraine, but evidence of HermeticWiper was also found in Lithuania and Latvia.

On February 27^th Ukrainian border control was reported to be infected with HermeticWiper, which prevented refugees from being able to cross into Romania. Symantec also reported that the ransomware named PartyTicket was dropped on the compromised machines.

Initial Compromise

On February 24-25^th researchers at Symantec reported three potential initial vectors of compromise:

1. Ukraine, December 23, 2021 – The abuse of SMB on Microsoft Exchange Servers followed by credential stealing and web shell.
2. Lithuania, November 12, 2021 – Tomcat exploitation followed by the creation of scheduled tasks to gain persistence on the compromised system.
3. Ukraine, November 11, 2021 – An exploit abusing Microsoft SQL Elevation of Privilege Vulnerability (CVE-2021-1636).

Technical Analysis on HermeticWiper

SHA-256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

HermeticWiper is a 32-bit executable written in C++ and at 114 KB, it’s over four times bigger than its predecessor, WhisperGate (27 KB). WhisperGate was also used as a decoy ransomware and destructive malware in January 2022 to target Ukrainian organizations. The compiler timestamp dates to December 28, 2021. However, it should be noted that the timestamp can be easily modified by the threat actors. The malware sample was signed by Hermetica Digital Ltd, a Cyprus-based company, and is valid from April 12, 2021 until April 14, 2022 (Exhibit 1). Based on this discovery, eSentire’s Threat Intelligence team has determined it’s probable that the malware was developed in April 2021.

The RCDATA resource (the raw data resource of an application) contains 4 drivers: DRV_X64, DRV_X86, DRV_XP_X64, DRV_XP_X86. The drivers are compressed with SZDD (Haruhiko Okumura's LZSS), a compression algorithm known to be used by Microsoft installation programs (Exhibit 2).

The decompressed drivers are signed by Chengdu YIWO Tech Development Co Ltd, the developer of EaseUS (Exhibit 3).

The implementation of EaseUS partition management driver in the wiper to access the file systems shows an improvement compared to WhisperGate. The drivers contain the program database (PDB) path, which contains debugging information, to: d:\epm\_epm_main\mod.windiskaccessdriver\windiskaccessdriver\objfre_wlh_x86\i386\epmntdrv.pdb

This indicates that the attackers abused the legitimate driver epmntdrv.sys developed by EaseUS to facilitate access to the physical drives of the victim’s machine.

The wiper will choose which driver to plant on the victim’s machine based on the Windows version, which uses major and minor conventions for its Operating Systems (OS). If the major and minor versions of the OS is greater or equal to 6 and 0 respectively, it will assign the DRV_X64, DRV_X86 drivers to it. Otherwise, it will assign DRV_XP_X64, DRV_XP_X86 drivers (Exhibit 4).

Please refer to the chart compiled by Microsoft that contains operating system version information for more information.

The wiper then assigns itself the following privileges:

• SeLoadDriverPrivilege – enables the user to unload and load device drivers in kernel mode. In our case, this will allow the threat actor to load the EaseUS drivers used to corrupt and destroy data.
• SeBackupPrivilege – provides an attacker with the ability to create system backups and full read permissions without further escalating the privileges.

A service named after the dropped system driver will be created by the wiper via the CreateServiceW API, which will point to C:\Windows\System32\drivers\rhdr.sys (Note that the driver’s name will be randomly created with 4 characters). After the service has successfully started, it will sleep for 1000 milliseconds (about 1 second) and then be marked for deletion, at which point the user cannot manually delete or stop it.

EPMNTDRV will be pointed to the path of the dropped system driver (Exhibit 5), and will also be used to retrieve the Physical Drive number via DeviceIoControl API (used to get information about the drive).

HermeticWiper initiates a loop that enumerates the Physical Drives to 100, in contrast to WhisperGate’s loop which is repeated up to 199 times (Exhibit 6). For every enumerated Physical Drive, the wiper will overwrite the first section of the master boot record (MBR) with 512 bytes, making the machine unbootable upon manual restart.

In addition to the drive enumeration, the wiper also looks for the following folders:

• Desktop
• My Documents
• AppData
• C:\Documents and Settings
• C:\Windows\System32\winevt\Logs
• Windows
• Program Files
• Program Files(x86)
• PerfLogs
• Boot
• System Volume Information
• AppData

Boot and System Volume Information are two important folders that are responsible for Windows operability. Boot folder stores the Boot Configuration Data (BCD) which contains information about the OS and boot parameters. Without the BCD file, Windows will not be able to boot. The System Volume Information folder is utilized by the System Restore tool to store the restore points.

The purpose of enumerating the above folders is unclear. It is notable that the threat actors crafted the malware to make sure all the folders and logs are wiped, and that the victim’s machine remains inoperable if the MBR wiping goes wrong. We believe it’s probable that this was done to clear logs to avoid detection and attribution.

Next, the crash dump logging is disabled by setting the registry value CrashDumpEnabled to 0 (Exhibit 7).

The Volume Shadow Copy Service (VSS) is also disabled via ChangeServiceConfigW API (the API allows to change the service configurations) through the SERVICE_DISABLED parameter (Exhibit 8).

The sample also queries for NTFS attribute types and metadata:

• $DATA
• $I30
• $INDEX_ALLOCATION
• $Bitmap (Keeps track of cluster allocation on NTFS volume)
• $Logfile (Logs all changes to the file system)

Other attributes such as $REPARSE_POINT and $LOGGED_UTILITY_STREAM were also found in the .rdata section but were never referenced by anything. The partition corruption is dependent on whether the system has NTFS or FAT partitions (Exhibit 9).

Technical Analysis of PartyTicket

SHA-256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

The ransomware sample is a 64-bit binary written in Golang with a size of 3.14 MB and an empty compilation timestamp. The following sections in the sample are responsible for determining the filetypes to encrypt, which directories to skip, drive letters to enumerate (Exhibit 10).

As mentioned previously, the function at _C__projects_403forBiden_wHiteHousE_baggageGatherings is enumerating through the drive letters from A to Z (Exhibit 11).

The function at __C__projects_403forBiden_wHiteHousE_init checks if the OS supports AVX (Advanced Vector Extensions that are supposed by Windows 7 SP1 and later) and is also responsible for folder and file manipulations as well as getting the time zone data.

The function at _C__projects_403forBiden_wHiteHousE_FileName gets up 55 file extensions and converts them to lower strings (Exhibit 12).

Approximately 54 file extensions get retrieved from memory for further encryption, not including the encrypted file extension, “.Encryptedjb” (Exhibit 13).

During the encryption process, the sample writes a ransomware note called “read_me.html” to the victim’s Desktop containing the contact information (Exhibit 14-15).

The ransomware implements AES-GCM encryption for the files (Exhibit 16). An RSA public key is also used to encrypt the AES key, which is base64-encoded and embedded in the encrypted file. Here is the decoded RSA-OAEP public key with exponent 65537:

The AES key is created with math/rand, which produces a pseudorandom (inevitably, deterministic) sequence of values. That means that the key can be easily obtained to decrypt the files. During the analysis, we observed the same AES 16-bit key being used to encrypt the file, “6FBBD7P95OE8UT5QRTTEBIWAR88S74DO”, because the same seed value is being used in the code (Exhibit 17).

All encrypted file names will have the following extension: “.[[email protected]].encryptedJB” and each encrypted file will contain the marker “ZVL2KH87ORH3OB1J1PO2SBHWJSNFSB4A” at the end.

During the encryption process, the main executable creates duplicates of itself in the working directory. Each duplicate is named with a GUID in the format “xxxxxxxx-11ec-xxx-000c29xxxxxx.exe” (Exhibit 18) and will copy itself using the same pattern with a command “cmd /c copy C:\workdir\xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe (Exhibit 19).

The duplicated binaries are responsible for encrypting each file on the system, which significantly slows down the infected system. After the encryption, the binaries are removed from the directory, leaving only 200-300 copies. The encryption process can be easily stopped by terminating the process tree.

Comparing HermeticWiper, and PartyTicket to WhisperGate

From the technical analysis, we have derived that HermeticWiper is more sophisticated than WhisperGate in terms of implementing third-party drivers to facilitate access to the Physical Drives and modify its access token to enable interaction with the kernel. Moreover, the threat actor(s) behind HermeticWiper prevented the possibility of recovery by deleting shadow copies. Although the purpose of enumerating the critical parts of the OS is still not clear, we believe it’s probable that this was done to clear logs to avoid detection and attribution.

As mentioned previously, PartyTicket has been observed on machines infected with HermeticWiper. The technical analysis of PartyTicket indicates that the threat actor(s) implemented AES-GCM encryption along with RSA public key for the targeted file extensions, making the attack look almost like an actual ransomware attempt, whereas WhisperGate decoy ransomware only overwrote the targeted files with 0xCC bytes and corrupted MBR by overwriting it with a fake ransom note.

PartyTicket, the decoy ransomware, contains political messages based on the strings found mentioning “Biden” and a ransom note saying, “The only thing that we learned from new elections is we learned nothing from the old!”

HermeticWiper samples have different hashes but the same functionality. WhisperGate has only one known reported hash for the wiper sample, which likely means that HermeticWiper was able to spread across more machines than WhisperGate.

With the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new malware and that threat actors will likely improve their malware development capabilities to evade detection.

How eSentire is Responding

Our Threat Response Unit (TRU) combines intelligence gleaned from research, security incidents, and the external threat landscape to create actionable outcomes for our customers. We are taking a holistic response approach to combat modern ransomware by deploying countermeasures, such as:

• Developing threat detections to identify the initial and post-compromise activities of HermeticWiper and PartyTicket (HermeticRansom) and ensure these detections are in place across both eSentire MDR for Endpoint and MDR for Log.
• Performing global threat hunts for indicators associated with HermeticWiper and Party Ticket malware.

Our detection content is backed by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to any intrusion attempt tied to known ransomware tactics, techniques, and procedures. In addition, our Threat Response Unit closely monitors the ransomware threat landscape and addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against the HermeticWiper, and PartyTicket malware:

• Ensure that Microsoft Exchange and Apache Tomcat servers are patched and up to date. Specifically ensuring your organization has patched:
  • CVE-2020-0688 – Microsoft Exchange
  • CVE-2021-26855 – Microsoft Exchange
  • CVE-2021-26857 – Microsoft Exchange
  • CVE-2021-26858 – Microsoft Exchange
  • CVE-2021-27065 – Microsoft Exchange
• Patch any external-facing applications and devices on an ongoing basis. Conduct regular vulnerability scans to ensure your team is staying on top of identifying, and patching, all known vulnerabilities.
• Consider implementing a comprehensive vulnerability management program that includes continuous awareness of the threat landscape, vulnerability scanning to understand which systems are inadvertently exposed, and disciplined patch management.
• Ensure your team is enforcing strong password policies for all employees as part of strengthening your organization’s overall cyber hygiene.

While the Tactics, Techniques, and Procedures (TTPs) used by adversaries grow in sophistication, they lead to a limited set of choke points at which critical business decisions must be made. Intercepting the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you’re not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Yara Rules

rule  HermeticWiper {

    meta:
        author = "eSentire TI"
        filetype = "Win32 EXE"
        date = "03/02/2022"
        version = "1.0"
        hash = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
    
    strings:
        $drv1 = "\\\\.\\PhysicalDrive%u" wide fullword
        $drv2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
        $NTFS1 = "$Bitmap" wide fullword nocase 
        $NTFS2 = "$Logfile" wide fullword nocase
        $NTFS3 = "$I30" wide fullword nocase
        $rcdata1 = "DRV_X64" wide fullword nocase
        $rcdata2 = "DRV_X86" wide fullword nocase
        $rcdata3 = "DRV_XP_X86" wide fullword nocase
        $rcdata4 = "DRV_XP_X64" wide fullword nocase
        $storage1 = "GetLogicalDriveStrings" ascii nocase 
        $storage2 = "GetDiskFreeSpace" ascii nocase
    
    condition:
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
        and filesize > 113KB
        and (2 of ($drv*) and 3 of ($NTFS*) and 2 of ($rcdata*) and 2 of ($storage*))
        
}
rule  PartyTicket {

    meta:
        author = "eSentire TI"
        filetype = "Win64 EXE"
        date = "03/02/2022"
        version = "1.0"
        hash = "4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382"
    
    strings:
        $project = "C:/projects/403forBiden/wHiteHousE/wHiteHousE.go" ascii nocase
        $string1 = "vote_result.cap" ascii nocase
        $string2 = "main.subscribeNewPartyMember" ascii nocase
        $string3 = "main.voteFor403" ascii nocase
        $string4 = "main.highWay60" ascii nocase
        $string5 = "main.BulletinNumber" ascii nocase
    
    condition:
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
        and filesize > 3100KB
        and $project and 3 of ($string*)
        
}

Sources

• https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
• https://venturebeat.com/2022/02/27/ukraine-border-control-hit-with-wiper-cyberattack-slowing-refugee-crossing/
• https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636
• https://docs.microsoft.com/
• https://pkg.go.dev/math/rand