Understanding Today’s Malware HermeticWiper and PartyTicket
Cyberwarfare has become its own “battlefield” in today’s global conflicts. The ability to slow down communications between military resources, shut down entire systems, and prevent intelligence from being shared amongst departments can give even a relatively small military a leg up while impacting the physical battlefield.
With all that said, the recent Ukraine-Russia conflict has seen its share of intense cyberwarfare in the form of new and advanced malware. The two we’ll focus on are HermeticWiper and PartyTicket, both of which have targeted government agencies, financial institutions, and government contractors in Ukraine, Latvia, and Lithuania.
Though it seems that the attacks are irrelevant to the United States, they could, at any time, be easily deployed against businesses and governmental departments and cause catastrophic damage to our data resources and IT infrastructures. Therefore, it’s essential to understand the components of Today’s Malware campaigns and how you can protect yourself.
HermeticWiper
Starting at the top, HermeticWiper is a malware used to corrupt new technology file systems (NTFS) and file allocation table (FAT) systems. It was first seen on February 23rd, 2022, but evidence shows this campaign could have been planned back as far as December 28th, 2021.
What makes this attack interesting is the way it’s delivered. It generally starts with credentials harvesting to acquire login data by using a malicious PowerShell command. This is followed by a web shell installed, which gives the cybercriminals remote access to the victim’s server. Then, for most of the victims, ransomware is delivered prior in order to distract the user and give the hackers the ability to upload the HermaticWiper “under the radar.”
Once executed, the wiper can process itself to acquire read and shutdown privileges. Depending on the Windows version, it is later adjusted to add load driver privileges, giving the hacker many administrative and high-level rights. After privilege is granted, it’ll go through all drives on the system (one at a time), writing “junk” data to corrupt them. Eventually, the targeted file systems (NTFS and FAT) are tainted and the victim’s machine won’t reboot.
The motive for these attacks is entirely malicious with zero financial-based rationales, as ransomware is just a decoy. The cybercriminals purely want to destroy data and prevent the victim’s devices from booting/operating correctly. While circumstances and similarly-used tactics would point to Russia being the culprit, officials aren’t able to confirm anything at this time.
PartyTicket
Next, we go to the PartyTicket malware, which is highly associated with HermeticWiper due to the tactics used and the primary purpose of data destruction. This malware was also first detected on February 23rd, 2022, and appears to use ransomware as a decoy, just like HermeticWiper. In this case, however, the email address on the ransom note is listed as vote2024forjb@protonmail.com, likely referencing President Joe Biden for the 2024 election.
PartyTicket too cannot be pinned on any country or criminal organization. However, experts unanimously say that this malware is poorly designed and might be used as a diversion for the HermeticWiper attacks. The way this malware is deployed is virtually the same as the methods used for HermeticWiper since they’re so closely related.
Once the malware is delivered, it selects a handful of files to encrypt using a 32 character alphanumeric key which can easily be decrypted using a recovered AES encryption key — a reason why this malware appears to be unsophisticated. For every file on the list, the malware creates a copy of itself and passes it on to the next file to be encrypted.
This slow deployment process and poor design further prove the theory that the malware is not very advanced and is just trying to distract victims from a more lethal attack —- HermeticWiper.
How to Protect Yourself From Today’s Malware
Due to the scope of which both these malware operate, one of the first things to do to protect your organization is to update and patch your servers — particularly if you use a system vulnerable to these attacks such as Microsoft Exchange or Apache Tomcat. Consistent software patching and updates should also be utilized for all applications and critical systems when available.
To help with detecting precursor activity to malware, be on the lookout for malicious use of PowerShell commands which can help hackers harvest user credentials. Additionally, focusing on detecting (and remediating) potential web shells in your network can help prevent malware deployment from remote locations.
Lastly, stay alert with activity happening that could spark new or variations of current/today’s malware being created and deployed. Be sure to share this type of information with your employees and continue security awareness training for them to be observant for anomalies and obscure events.
Stay Up-to-Date with Today’s Malware with Ascension Global Technology
Contact us today to speak to an expert and learn how you can protect yourself from wartime malware and other lingering threats. Be sure to also check in on our blog for updates on today’s cybersecurity news and content on constructing your organization’s cybersecurity program.
