A brand new information wiper malware named ‘PathWiper’ is being utilized in focused assaults towards vital infrastructure in Ukraine, aimed toward disrupting operations within the nation.
The payload was deployed by means of a authentic endpoint administration instrument, indicating that attackers had achieved administrative entry to the system by means of a previous compromise.
Cisco Talos researchers who found the assault attributed it with excessive confidence to a Russia-linked superior persistent menace (APT).
The researchers evaluate PathWiper to HermeticWiper, beforehand deployed in Ukraine by the ‘Sandworm’ menace group, which had comparable performance.
Therefore, PathWiper could also be an evolution of HermeticWiper, utilized in assaults by the identical or overlapping menace clusters.
PathWiper’s damaging capabilities
PathWiper executes on track programs by way of a Home windows batch file that launches a malicious VBScript (uacinstall.vbs), that in flip drops and executes the first payload (sha256sum.exe) [VirusTotal].
The execution mimics the conduct and names related to a authentic admin instrument to evade detection.
As an alternative of merely enumerating bodily drives like HermeticWiper, PathWiper programmatically identifies all linked drives (native, community, dismounted) on the system.
Subsequent, it abuses Home windows APIs to dismount volumes to organize them for corruption after which creates threads for every quantity to overwrite vital NTFS buildings.
Among the many focused system information within the root listing of the NTFS are:
- MBR (Grasp Boot Report): The primary sector of a bodily disk holding the bootloader and partition desk.
- $MFT (Grasp File Desk): Core NTFS system file that catalogs all information and directories, together with their metadata and areas on the disk.
- $LogFile: Journal is used for NTFS transaction logging, monitoring file modifications, and serving to with integrity checking and restoration.
- $Boot: File containing boot sector and filesystem structure data.
PathWiper overwrites the above and one other 5 vital NTFS information with random bytes, rendering impacted programs utterly inoperable.
The noticed assaults don’t contain extortion or any type of monetary calls for, so their sole goal is destruction and operational disruption.
Cisco Talos revealed file hashes and snort guidelines to assist detect the menace and cease it earlier than it corrupts the drives.
Information wipers have grow to be a strong instrument in assaults on Ukraine for the reason that struggle started, with Russian menace actors generally utilizing them to disrupt vital operations within the nation.
This contains wipers named DoubleZero, CaddyWiper, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain.
Guide patching is outdated. It is gradual, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how trendy groups use automation to patch sooner, reduce threat, keep compliant, and skip the complicated scripts.
