HermeticWiper Malware

HermeticWiper is data and MBR Wiper that is being targeting Ukraine and is allegedly link to Russia. It intentionally cleans data on a device make it unrecoverable. It also deletes the MBR of the machine so that the operating system wont boot again. This data-wiper is the second one used against Ukrainian networks in the last two months. First one was WhisperGate Wiper.

Update : HermeticWiper Ransomware variant is also active alongside Wiper.

HermeticWiper YARA Rules

rule MAL_HERMETIC_WIPER {
    meta:
      desc = "HermeticWiper - broad hunting rule"
      author = "Friends @ SentinelLabs"
      version = "1.0"
      last_modified = "02.23.2022"
      hash = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
    strings:
        $string1 = "DRV_XP_X64" wide ascii nocase
        $string2 = "EPMNTDRV\\%u" wide ascii nocase
        $string3 = "PhysicalDrive%u" wide ascii nocase
        $cert1 = "Hermetica Digital Ltd" wide ascii nocase
    condition:
      uint16(0) == 0x5A4D and
      all of them
}

HermeticWiper Malware Signatures

Family: A Variant Of Win32/KillDisk.NCV
MD5: 3f4a16b29f2f0532b7ce3e7656799125
SHA256: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

HermeticWiper Malware Download