From the Labs: YARA Rule for Detecting Malware Wipers

As new cyber threats appear, our team of threat analysts are constantly working to respond and provide our customers - and the security community - with information and tools to defend their systems from attacks. Open source YARA rules for newly identified threats are a big part of this effort. Written by our threat analysts, our high-quality YARA rules are intended for threat hunters, incident responders, security analysts, and other defenders.

Our detection rules are high fidelity. As opposed to hunting rules, these detection rules must satisfy certain criteria to be eligible for deployment, namely: they must be as precise as possible, without losing detection quality. Also, our YARA rules aim to provide zero false-positive detections.

Below, you will find descriptions and links to our team’s newly published YARA rules. To understand more about the prerequisites for using them and also how to best deploy these, consult our Github page.

Detecting Weapons of Cyber Warfare

After the deployment of several cyber attacks on Ukraine’s institutions, our team responded with three new YARA rules, each of them containing conditions to detect these malicious threats.

HermeticWiper

HermeticWiper is a trojan malware that has been the primary cyber weapon currently being used on Ukraine’s government and financial institutions. First discovered by researchers at ESET, HermeticWiper was delivered in a coordinated campaign against pre-determined and localized targets in Ukraine. Analysis at SentinelLabs shows that the wiper malware specifically targets Windows devices, manipulating the master boot record (MBR) to cause boot failure. Though detected in Ukraine, HermeticWiper is capable of spreading beyond the country’s borders.

Link: Win32.Trojan.HermeticWiper.yara

IsaacWiper

Similar to HermeticWiper, IsaacWiper is also a trojan malware that wipes data on the systems it infects, making them inoperable. It was also discovered by ESET researchers, on the same day (February 24) that Russia began its invasion of Ukraine.

To spread the IsaacWiper malware within their victims’ environments, attackers used RemCom, a remote access tool, and possibly Impacket, according to ESET. While it’s been used against similar targets as HermeticWiper, it is less sophisticated. For example, unlike HermeticWiper, IsaacWiper does not feature a signed executable and has a less advanced feature set.

Link: Win32.Trojan.IsaacWiper.yara

CaddyWiper

This third wiper malware was also discovered by ESET researchers, but two weeks after Russia advanced its military into Ukraine. The firm found that the malware was compiled just two hours before its deployment.

CaddyWiper destroys user data and partitions from attached drives, similar to its predecessors. However, this malware family does not share major coding similarities with either HermeticWiper or IsaacWiper, and it stands alone in lacking a digital signature. The malware’s other unique trait is that it does not destroy domain controllers. This is probably a way for attackers to hold onto their access to an organization’s systems while continuing to disturb the entity’s operations, according to ESET. So far the wiper malware has been used to target systems belonging to a variety of entities, both in the government and financial sectors of Ukraine.

Link: Win32.Trojan.CaddyWiper.yara

The Work Doesn’t Stop Here

ReversingLabs’ team of analysts are constantly surveying the threat landscape in an effort to better serve our customers and the greater security community. As the situation in Ukraine continues to evolve, we will continue to update you about new threats, attacks and threat indicators. Don’t hesitate to contact us if you’d like to learn more about how we help organizations combat threats like malicious wipers and ransomware or to schedule a demonstration.