Data-wiping malware dubbed HermeticWiper has impacted hundreds of machines and networks geolocated in Ukraine. It is malware used not just to infect machines but also to destroy them.
HermeticWiper has been active since Feb. 23, 2022, and has impacted machines and Ukraine networks. The name attributed to this malware, “HermeticWiper,” is based on a stolen digital certificate stolen from a company called Hermetica Digital Ltd. With a lot of features introduced by its authors, HermeticWiper can bypass Windows security features and gain write permissions to many low-level data structures on disk. One of the destructive procedures implemented by its developers is the capacity to re-write fragments on the disc to make the recovery process impossible. [CLICK IMAGES TO ENLARGE]
Figure 1: Tweet by ESET reporting the malicious IoCs related to the HermeticWiper (source).
This malware tries to bypass some security features by using a legitimate certificate by Hermetica Digital Ltd. The name of the malware is directly related to this finding.
Figure 2: Code signing certificate by Hermetica Digital Ltd used by HermeticWipe malware.
Digging into the details
HermeticWiper is a simple PE File with only 114 KBs in size but four binaries on the RCDATA section. Observing the