February 24, 2022

Trojan.Killdisk/HermeticWiper, Disk-wiping malware

Industry: Aviation, Defense, Financial, Information Technology | Level: Tactical | Source: Symantec

Symantec reports findings of Trojan.Killdisk, a disk-wiping malware discovered on February 24, 2022 prior to the Russian invasion of Ukraine. The malware’s capabilities render victim hosts inoperable by damaging the Master Boot Record (MBR) and not providing mechanisms for recovery. The investigation is still active by Symantec however, early findings identified a Lithuania organization as the victim, and appears to have been infiltrated sometime during November 2021. Attackers staged files and set up persistence on November 12th, 2021. The next activities of interest were identified on February 22nd, 2022, in which the disk wiper was proceeded to be executed, with activity prior involving certutil to perform a connectivity check, collecting credentials with comsvcs.dll and running multiple PowerShell scripts. Ransomware deployment was also identified however it appeared to be a ruse to distract from the wiper attack.

  • Anvilogic Scenarios:
    • Initial Trojan.Killdisk/HermeticWiper Behaviors
    • Trojan.Killdisk/HermeticWiper Behaviors
  • Anvilogic Use Cases:
    • comsvcs.dll Lsass Memory Dump
    • Certutil Execution
    • Create/Modify Schtasks
    • Windows Admin$ Share Access