Blog

eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket

BY eSentire Threat Response Unit (TRU)

March 21, 2022 | 14 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

IN THIS POST

Recently, there have been multiple reports of new wiper malware observed targeting Ukrainian organizations as part of cyber warfare stemming from the ongoing Russia-Ukraine conflict. This new wiper malware, also known as HermeticWiper, was first detected in February 2022, and was deployed after a wave of multiple Distributed Denial of Service (DDoS) attacks launched by Russian threat actors against Ukrainian law enforcement and government agencies.

eSentire’s Threat Intelligence team has performed a technical malware analysis on HermeticWiper and PartyTicket. This technical analysis provides a detailed breakdown of how HermeticWiper fulfills its objective of accessing the Physical Drives and encrypting the targeted filetypes in the host device and network.

With the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new malware in the ongoing hybrid war and improve their malware development capabilities to evade detections.

Key Takeaways:

  • HermeticWiper malware is more sophisticated than WhisperGate in terms of implementing third-party drivers to facilitate access to the Physical Drives as well as modifying its access token to enable interaction with the kernel.
  • HermeticWiper is abusing legitimate EaseUS partition management drivers to retrieve partition information and destroy data. This shows development maturity compared to WhisperGate.
  • The main purpose of the decoy ransomware (PartyTicket, also known as HermeticRansom) is to limit the victim’s interactions with the infected system.
  • Due to the poor implementation of the encryption algorithm or the coding error, PartyTicket cannot be considered as a sophisticated decoy ransomware, but it certainly made more improvements compared to WhisperGate.
  • The threat actor(s) behind HermeticWiper prevented the possibility of recovery by deleting shadow copies. It’s probable that this was done to clear logs to avoid detection and attribution.
  • As a result of this research, we have created an additional 5 detections to reduce the risk of this threat and are performing global threat hunts for indicators associated with HermeticWiper & Party Ticket malware.

Case Study

The destructive malware dubbed as ‘HermeticWiper’ by SentinelLabs was first detected by researchers at ESET on February 23rd, 2022, at 10am EST. Five hours later, the Cyber Police of Ukraine reported DDoS attacks on several Ukrainian government agencies, including Cabinet of Ministers of Ukraine, Verkhovna Rada (unicameral parliament of Ukraine), Security Service of Ukraine, Ministry of Foreign Affairs, and other Ukrainian government organizations.

The reports stated that the DDoS attacks had been ongoing since February 15th and linked the attacks, including numerous phishing attempts, to Russian threat actors. As part of these attacks, HermeticWiper was installed on hundreds of machines in Ukraine, but evidence of HermeticWiper was also found in Lithuania and Latvia.

On February 27th Ukrainian border control was reported to be infected with HermeticWiper, which prevented refugees from being able to cross into Romania. Symantec also reported that the ransomware named PartyTicket was dropped on the compromised machines.

Initial Compromise

On February 24-25th researchers at Symantec reported three potential initial vectors of compromise:

  1. Ukraine, December 23, 2021 – The abuse of SMB on Microsoft Exchange Servers followed by credential stealing and web shell.
  2. Lithuania, November 12, 2021 – Tomcat exploitation followed by the creation of scheduled tasks to gain persistence on the compromised system.
  3. Ukraine, November 11, 2021 – An exploit abusing Microsoft SQL Elevation of Privilege Vulnerability (CVE-2021-1636).

Technical Analysis on HermeticWiper

SHA-256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

HermeticWiper is a 32-bit executable written in C++ and at 114 KB, it’s over four times bigger than its predecessor, WhisperGate (27 KB). WhisperGate was also used as a decoy ransomware and destructive malware in January 2022 to target Ukrainian organizations. The compiler timestamp dates to December 28, 2021. However, it should be noted that the timestamp can be easily modified by the threat actors. The malware sample was signed by Hermetica Digital Ltd, a Cyprus-based company, and is valid from April 12, 2021 until April 14, 2022 (Exhibit 1). Based on this discovery, eSentire’s Threat Intelligence team has determined it’s probable that the malware was developed in April 2021.

Exhibit 1: HermeticWiper digital signature


The RCDATA resource (the raw data resource of an application) contains 4 drivers: DRV_X64, DRV_X86, DRV_XP_X64, DRV_XP_X86. The drivers are compressed with SZDD (Haruhiko Okumura's LZSS), a compression algorithm known to be used by Microsoft installation programs (Exhibit 2).

Exhibit 2: HermeticWiper Resources


The decompressed drivers are signed by Chengdu YIWO Tech Development Co Ltd, the developer of EaseUS (Exhibit 3).

Exhibit 3: Digital Certificate of the extracted drivers


The implementation of EaseUS partition management driver in the wiper to access the file systems shows an improvement compared to WhisperGate. The drivers contain the program database (PDB) path, which contains debugging information, to: d:\epm\_epm_main\mod.windiskaccessdriver\windiskaccessdriver\objfre_wlh_x86\i386\epmntdrv.pdb

This indicates that the attackers abused the legitimate driver epmntdrv.sys developed by EaseUS to facilitate access to the physical drives of the victim’s machine.

The wiper will choose which driver to plant on the victim’s machine based on the Windows version, which uses major and minor conventions for its Operating Systems (OS). If the major and minor versions of the OS is greater or equal to 6 and 0 respectively, it will assign the DRV_X64, DRV_X86 drivers to it. Otherwise, it will assign DRV_XP_X64, DRV_XP_X86 drivers (Exhibit 4).

Please refer to the chart compiled by Microsoft that contains operating system version information for more information.

Exhibit 4: Assigning drivers to the appropriate OS


The wiper then assigns itself the following privileges:

A service named after the dropped system driver will be created by the wiper via the CreateServiceW API, which will point to C:\Windows\System32\drivers\rhdr.sys (Note that the driver’s name will be randomly created with 4 characters). After the service has successfully started, it will sleep for 1000 milliseconds (about 1 second) and then be marked for deletion, at which point the user cannot manually delete or stop it.

EPMNTDRV will be pointed to the path of the dropped system driver (Exhibit 5), and will also be used to retrieve the Physical Drive number via DeviceIoControl API (used to get information about the drive).

Exhibit 5: EPMTDRV pointing to the dropped driver


HermeticWiper initiates a loop that enumerates the Physical Drives to 100, in contrast to WhisperGate’s loop which is repeated up to 199 times (Exhibit 6). For every enumerated Physical Drive, the wiper will overwrite the first section of the master boot record (MBR) with 512 bytes, making the machine unbootable upon manual restart.

Exhibit 6: Drive Enumeration


In addition to the drive enumeration, the wiper also looks for the following folders:

Boot and System Volume Information are two important folders that are responsible for Windows operability. Boot folder stores the Boot Configuration Data (BCD) which contains information about the OS and boot parameters. Without the BCD file, Windows will not be able to boot. The System Volume Information folder is utilized by the System Restore tool to store the restore points.

The purpose of enumerating the above folders is unclear. It is notable that the threat actors crafted the malware to make sure all the folders and logs are wiped, and that the victim’s machine remains inoperable if the MBR wiping goes wrong. We believe it’s probable that this was done to clear logs to avoid detection and attribution.

Next, the crash dump logging is disabled by setting the registry value CrashDumpEnabled to 0 (Exhibit 7).

Exhibit 7: Disabling crash dump by setting the registry key to 0


The Volume Shadow Copy Service (VSS) is also disabled via ChangeServiceConfigW API (the API allows to change the service configurations) through the SERVICE_DISABLED parameter (Exhibit 8).

Exhibit 8: Disabling Volume Shadow Copy Service (VSS)


The sample also queries for NTFS attribute types and metadata:

Other attributes such as $REPARSE_POINT and $LOGGED_UTILITY_STREAM were also found in the .rdata section but were never referenced by anything. The partition corruption is dependent on whether the system has NTFS or FAT partitions (Exhibit 9).

Exhibit 9: Different partition corruption capabilities based on NTFS and FAT

Technical Analysis of PartyTicket

SHA-256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

The ransomware sample is a 64-bit binary written in Golang with a size of 3.14 MB and an empty compilation timestamp. The following sections in the sample are responsible for determining the filetypes to encrypt, which directories to skip, drive letters to enumerate (Exhibit 10).

Exhibit 10: Sections mentioning “Biden”


As mentioned previously, the function at _C__projects_403forBiden_wHiteHousE_baggageGatherings is enumerating through the drive letters from A to Z (Exhibit 11).

Exhibit 11: Drive letter enumeration


The function at __C__projects_403forBiden_wHiteHousE_init checks if the OS supports AVX (Advanced Vector Extensions that are supposed by Windows 7 SP1 and later) and is also responsible for folder and file manipulations as well as getting the time zone data.

The function at _C__projects_403forBiden_wHiteHousE_FileName gets up 55 file extensions and converts them to lower strings (Exhibit 12).

Exhibit 12: Retrieving file extensions


Approximately 54 file extensions get retrieved from memory for further encryption, not including the encrypted file extension, “.Encryptedjb” (Exhibit 13).

Exhibit 13: Populating the extensions from memory


.docx .doc .odt .pdf .xls .xlsx .rtf
.ppt .pptx .one .xps .pub .vsd .txt
.jpg .jpeg .bmp .ico .png .gif .sql
.xml .pgsql .zip .rar .exe .msi .vdif
.ova .avi .dip .epub .iso .sfx .inc
.contact .url .mp3 .wmv .wma .wtv .avi
.acl .cfg .chm .crt .css .dat .dll
.cab .htm .html

During the encryption process, the sample writes a ransomware note called “read_me.html” to the victim’s Desktop containing the contact information (Exhibit 14-15).

Exhibit 14: Creating read_me.html ransomware note


Exhibit 15: Ransomware note (read_me.html)


The ransomware implements AES-GCM encryption for the files (Exhibit 16). An RSA public key is also used to encrypt the AES key, which is base64-encoded and embedded in the encrypted file. Here is the decoded RSA-OAEP public key with exponent 65537:

{“N”:25717750538564445875883770450315010157700597087507334907403500443913073702720939931824608270980020206566017538751505629421265104974103147570147793053042036863191254946923781676642090335412731279862111354061120228616841376992917732378943779121050854967382946609942428983247336676216790986210080736803862945150526472173167906828929762505592535870383583936487111702345068645085659309737832227242430435624646519262394891097897303125875418724226485960819950080048563760122492117729591949924833142856225432439701811178348276860736565390543324668247780303411465497265471890279550350192239339342142099892835177175612362030619,"E":65537}

Exhibit 16: AES-GCM encryption


The AES key is created with math/rand, which produces a pseudorandom (inevitably, deterministic) sequence of values. That means that the key can be easily obtained to decrypt the files. During the analysis, we observed the same AES 16-bit key being used to encrypt the file, “6FBBD7P95OE8UT5QRTTEBIWAR88S74DO”, because the same seed value is being used in the code (Exhibit 17).

All encrypted file names will have the following extension: “.[[email protected]].encryptedJB” and each encrypted file will contain the marker “ZVL2KH87ORH3OB1J1PO2SBHWJSNFSB4A” at the end.

Exhibit 17: AES key creation using math/rand


During the encryption process, the main executable creates duplicates of itself in the working directory. Each duplicate is named with a GUID in the format “xxxxxxxx-11ec-xxx-000c29xxxxxx.exe” (Exhibit 18) and will copy itself using the same pattern with a command “cmd /c copy C:\workdir\xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe xxxxxxxx-xxxx-11ec-xxxx-000c29xxxxxx.exe (Exhibit 19).

The duplicated binaries are responsible for encrypting each file on the system, which significantly slows down the infected system. After the encryption, the binaries are removed from the directory, leaving only 200-300 copies. The encryption process can be easily stopped by terminating the process tree.

Exhibit 18: Duplicated binaries in the working directory


Exhibit 19: Duplication process

Comparing HermeticWiper, and PartyTicket to WhisperGate

From the technical analysis, we have derived that HermeticWiper is more sophisticated than WhisperGate in terms of implementing third-party drivers to facilitate access to the Physical Drives and modify its access token to enable interaction with the kernel. Moreover, the threat actor(s) behind HermeticWiper prevented the possibility of recovery by deleting shadow copies. Although the purpose of enumerating the critical parts of the OS is still not clear, we believe it’s probable that this was done to clear logs to avoid detection and attribution.

As mentioned previously, PartyTicket has been observed on machines infected with HermeticWiper. The technical analysis of PartyTicket indicates that the threat actor(s) implemented AES-GCM encryption along with RSA public key for the targeted file extensions, making the attack look almost like an actual ransomware attempt, whereas WhisperGate decoy ransomware only overwrote the targeted files with 0xCC bytes and corrupted MBR by overwriting it with a fake ransom note.

PartyTicket, the decoy ransomware, contains political messages based on the strings found mentioning “Biden” and a ransom note saying, “The only thing that we learned from new elections is we learned nothing from the old!”

HermeticWiper samples have different hashes but the same functionality. WhisperGate has only one known reported hash for the wiper sample, which likely means that HermeticWiper was able to spread across more machines than WhisperGate.

With the ongoing Russia-Ukraine conflict, it’s probable that threat actors from Russia and Ukraine will leverage new malware and that threat actors will likely improve their malware development capabilities to evade detection.

How eSentire is Responding

Our Threat Response Unit (TRU) combines intelligence gleaned from research, security incidents, and the external threat landscape to create actionable outcomes for our customers. We are taking a holistic response approach to combat modern ransomware by deploying countermeasures, such as:

Our detection content is backed by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to any intrusion attempt tied to known ransomware tactics, techniques, and procedures. In addition, our Threat Response Unit closely monitors the ransomware threat landscape and addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against the HermeticWiper, and PartyTicket malware:

While the Tactics, Techniques, and Procedures (TTPs) used by adversaries grow in sophistication, they lead to a limited set of choke points at which critical business decisions must be made. Intercepting the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s Threat Response Unit (TRU) is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you’re not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

Indicators of Compromise

Name File Hash (SHA-256)
HermeticWiper 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
HermeticWiper 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
HermeticWiper 3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767
HermeticWiper 06086c1da4590dcc7f1e10a6be3431e1166286a9e7761f2de9de79d7fda9c397
HermeticWiper 2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
PartyTicket 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
RCDATA_DRV_X64 e5f3ef69a534260e899a36cec459440dc572388defd8f1d98760d31c700f42d5
RCDATA_DRV_X86 b01e0c6ac0b8bcde145ab7b68cf246deea9402fa7ea3aede7105f7051fe240c1
RCDATA_DRV_XP_X64 b6f2e008967c5527337448d768f2332d14b92de22a1279fd4d91000bb3d4a0fd
RCDATA_DRV_XP_X86 fd7eacc2f87aceac865b0aa97a50503d44b799f27737e009f91f3c281233c17d

Yara Rules

rule  HermeticWiper {

    meta:
        author = "eSentire TI"
        filetype = "Win32 EXE"
        date = "03/02/2022"
        version = "1.0"
        hash = "0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da"
    
    strings:
        $drv1 = "\\\\.\\PhysicalDrive%u" wide fullword
        $drv2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
        $NTFS1 = "$Bitmap" wide fullword nocase 
        $NTFS2 = "$Logfile" wide fullword nocase
        $NTFS3 = "$I30" wide fullword nocase
        $rcdata1 = "DRV_X64" wide fullword nocase
        $rcdata2 = "DRV_X86" wide fullword nocase
        $rcdata3 = "DRV_XP_X86" wide fullword nocase
        $rcdata4 = "DRV_XP_X64" wide fullword nocase
        $storage1 = "GetLogicalDriveStrings" ascii nocase 
        $storage2 = "GetDiskFreeSpace" ascii nocase
    
    condition:
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
        and filesize > 113KB
        and (2 of ($drv*) and 3 of ($NTFS*) and 2 of ($rcdata*) and 2 of ($storage*))
        
}
rule  PartyTicket {

    meta:
        author = "eSentire TI"
        filetype = "Win64 EXE"
        date = "03/02/2022"
        version = "1.0"
        hash = "4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382"
    
    strings:
        $project = "C:/projects/403forBiden/wHiteHousE/wHiteHousE.go" ascii nocase
        $string1 = "vote_result.cap" ascii nocase
        $string2 = "main.subscribeNewPartyMember" ascii nocase
        $string3 = "main.voteFor403" ascii nocase
        $string4 = "main.highWay60" ascii nocase
        $string5 = "main.BulletinNumber" ascii nocase
    
    condition:
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)
        and filesize > 3100KB
        and $project and 3 of ($string*)
        
}

Sources

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire