April 12, 2022 HAWKEYE

Wiper Malware – What is it and How to Detect?

In the world of different malware types and strains, the most disruptive malware type besides ransomware might be Wiper malware. The original wiper malware was first seen back in 2012 but did not enter the spotlight until 2014 when Sony company was hit with this destructive strain.

The best classification of wiper is malware that is created with intent to erase data and lead to data and financial loss. Wiper malware does not have an end goal of stealing information or creating monetary gain.

Goal and Effects of Wiper Malware

The sole purpose of wiper malware is the destruction or wiping of data. There are slight variations between wiper malware strains in terms of how they achieve their goal, but they always have the same targets. Wiper malware seeks to erase all data from a computer/server drive, backup storage data and data in the system boot section.

The most common method used by wiper malware is data overwriting where random section of storage data is overwritten with random strings. The malware usually doesn’t overwrite entire disks of memory as it would take a long time to do so. Nonetheless, we have seen several new victims of wiper malware in recent months all targeting large government entities and corporations.

Wiping Process and Data Destruction

Technical analysis of most wiper malware reveals custom written applications that abuses partition management drivers to carry out the infection. Wipers gain access to the target filesystem via Windows API calls, by abusing the raw disk or by abusing other system drivers. From there, wiper malware usually deploys compressed resources of drivers with target OS version in mind. By exploiting drives malware can get access to physical drives and gather more information regarding its partitions. After physical drive enumeration, most wiper malware corrupts the first 512 bytes of the physical drives which is the Master Boot Record, which renders the system unbootable.

With disks overwritten and Master Boot Record corrupted, wiper malware may continue operating further to ensure the target system is completely inoperable. To do this, malware ensures any FAT and NTFS partitions are corrupted, and might even corrupt log files, common folders, and perform similar activity for any backups it has access to.

The entire process ensures to cause enough damage to the data so that it is unretrievable.

Recent Wiper Activity in Russia/Ukraine Conflict

Since Russia declared war on Ukraine on the grounds, a different kind of war started online. We have seen many cases of cyber-attacks as part of a larger cyberwar that is still ongoing. Multiple parties are involved targeting mostly Russian and Ukrainian infrastructure with DDOS attacks and wiper malware. Several strains have been identified that caused significant damage to both Russian and Ukrainian side with following strains verified by the CERT-UA, a Computer Emergency Response Team for Ukraine.

In late February, the first instance of wiper malware was detected targeting Ukrainian government systems named IsaacWiper. Several large vendors obtained the sample of the malware and concluded that the malware is written in C++ which creates a log file in “Program Data” and later enumerates all physical drives on the target system. After the malware checks the disk size and available space, it locks the drive and starts the overwriting activity using a pseudo random number generator. The malware ends up overwriting all physical drives, disk volumes and files it can get its hands on.

Following the initial IsaacWiper malware, several new malware-based attacks were confirmed targeting the Ukrainian government systems. Malware dubbed Cyclops Blink was detected being used to compromise network devices and later used to download additional executable files. It is suspected that the Cyclops blink malware could have been used as an initial way into the systems to later conduct attacks related to wiper malware.

Aside from the wave of malware attacks delivered using phishing methods, a new wiper malware was detected in the second week of March called RuRansom malware. Contrary to its name, the malware is not ransomware but rather a wiper malware targeting Russian based entities. The wiper was written in .NET language and propagates as a worm to all removable disks and network shares.

On March 14th, another more destructive form of wiper malware was detected targeting Ukrainian government systems and enterprises called Caddy wiper. The malware operates in a similar fashion as the previously seen wiper strains and aims at deleting user data, apps, hard drives and any information regarding partitions. An interesting detail that sets Caddy wiper apart from other strains is that it avoids any overwriting and deleting actions on domain controllers to maintain access to the environment.

Viasat Attack – Wiper Malware as a Suspect

In a recent attack on Viasat’s modems, a global provider of high-speed satellite broadband services, it was determined that the main suspect is likely a wiper malware believed to have acted via a supply chain attack. Although there are parties who have yet to agree that the wiper has caused the outage, the consequences of the attack mimic that of an Acid Rain malware wiper used to render modems and routers unusable. Since the attack was recent, there is yet more information to be released by Viasat to confirm the findings of external investigations.

We continue to see different strains of wiper malware all over the world, with a focus in Ukraine and Russia due to the current ongoing conflict. Since wiper malware doesn’t have financial gain as the end goal, it will most likely remain the main weapon in cyber warfare and not likely to be used by attackers in a day-to-day activity. Nonetheless, it remains one of the most disruptive malware attacks compromising the availability of systems and their use.

Get in touch and how we can help you stay resilient to destructive disk wiper and ransomware attacks.

, , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.