A brand new knowledge wiper malware named ‘PathWiper’ is being utilized in focused assaults in opposition to crucial infrastructure in Ukraine, aimed toward disrupting operations within the nation.
The payload was deployed by a authentic endpoint administration device, indicating that attackers had achieved administrative entry to the system by a previous compromise.
Cisco Talos researchers who found the assault attributed it with excessive confidence to a Russia-linked superior persistent risk (APT).
The researchers examine PathWiper to HermeticWiper, beforehand deployed in Ukraine by the ‘Sandworm’ risk group, which had related performance.
Therefore, PathWiper could also be an evolution of HermeticWiper, utilized in assaults by the identical or overlapping risk clusters.
PathWiper’s harmful capabilities
PathWiper executes heading in the right direction methods by way of a Home windows batch file that launches a malicious VBScript (uacinstall.vbs), that in flip drops and executes the first payload (sha256sum.exe) (Virustotal).
The execution mimics the conduct and names related to a authentic admin device to evade detection.
As a substitute of merely enumerating bodily drives like HermeticWiper, PathWiper programmatically identifies all related drives (native, community, dismounted) on the system.
Subsequent, it abuses Home windows APIs to dismount volumes to organize them for corruption after which creates threads for every quantity to overwrite crucial NTFS buildings.
Among the many focused system information within the root listing of the NTFS are:
MBR (Grasp Boot Report): The primary sector of a bodily disk holding the bootloader and partition desk.
$MFT (Grasp File Desk): Core NTFS system file that catalogs all information and directories, together with their metadata and places on the disk.
$LogFile: Journal is used for NTFS transaction logging, monitoring file adjustments, and serving to with integrity checking and restoration.
$Boot: File containing boot sector and filesystem format info.
PathWiper overwrites the above and one other 5 crucial NTFS information with random bytes, rendering impacted methods fully inoperable.
The noticed assaults don’t contain extortion or any type of monetary calls for, so their sole intention is destruction and operational disruption.
Cisco Talos revealed file hashes and snort guidelines to assist detect the risk and cease it earlier than it corrupts the drives.
Knowledge wipers have change into a strong device in assaults on Ukraine because the struggle started, with Russian risk actors generally utilizing them to disrupt crucial operations within the nation.
This consists of wipers named DoubleZeroCadywiper, Herbericwiper, Isaacwiper, WhisperKill, WhisperGate, and AcidRain.
Patching used to imply advanced scripts, lengthy hours, and infinite hearth drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch sooner, cut back overhead, and give attention to strategic work — no advanced scripts required.
