Threat Advisory: HermeticWiper

Cisco Talos is aware of a second wave of wiper attacks ongoing inside Ukraine, leveraging a new wiper that has been dubbed “HermeticWiper.” Deployment of the destructive malware began on Feb. 23, 2022. HermeticWiper features behavioral characteristics similar to what was observed during the WhisperGate attacks that occurred in January. The malware has two components designed for destruction: one that targets the Master Boot Record (MBR) and another targeting partitions.Wiper analysis
The wiper is a relatively small executable — approximately 115KB in size — with a majority of it consisting of embedded resources. This executable is signed with a digital signature issued to “Hermetica Digital Ltd” valid from April 2021 to April 2022.

Digital certificate on the wiper executables.
One of the wiper executables was compiled on Feb. 23, 2022 and saw deployment the very same day. While another copy of the wiper was compiled as early as Dec. 28, 2021, indicating that the attackers have been working on developing the wiper for several months.
Compilation timestamp of one of the earliest known HermeticWiper samples.
Embedded Resources
Hermetic wiper consists of four embedded resources. These resources are compressed copies of drivers used by the

Read More: