Malware can be tricky: HermeticWiper Hidden in Plain Sight
Malware can be tricky and disguise itself as a regular file used by legitimate programs. We recently had a client who wanted us to exclude an executable file. Fortunately, our SOC team will not just exclude anything and performs research before completing the client’s request.
Be Careful what you Exclude from your EDR Solution.
Our SOC received 25 alerts associated with the executable the client wanted to exclude as the analysis was performed. This many alerts threw up a red flag for us. We reached out to our client and asked if this executable was being used on all of those 25 endpoints. The client advised us that he was only using it on 1 out of the 25 machines. Our team highly recommended not to exclude that file until further investigation was taken.
Malware can be Tricky.
After further review, the 25 alerts showed similar signs of activity that are used by HermeticWiper. We found out that the executable empntdrv.sys can be used by HermeticWiper to disguise their malware in the article from SentinalOne. This file is also used by EaseUS Partition Manager and can seem harmless. However, HermeticWiper can disguise itself by abusing this driver to do its dirty work by accessing physical drives directly by grabbing its partition information. This is why it is difficult to analyze HermeticWiper.
HermeticWiper’s main function is to damage the first 512 bytes, the Master Boot Record (MBR). This makes the device unable to boot into the OS. It doesn’t stop there. HermeticWiper continues to wipe all the partitions, not just the primary, to add insult to injury. The malware also enumerates common folders (‘My Documents,’ ‘Desktop,’ ‘AppData’), references the registry (‘ntuser’), and Windows Event Logs. It also modifies several registry keys, including setting the SYSTEM\CurrentControlSet\Control\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts. It then waits on sleeping threads before initiating a system shutdown to launch its destructive process.
SentinelOne states that their customers are protected from this type of threat, and at this time, no action is needed. To sum it all up, rest assured that the vigilance and experience of the BreachQuest team will continue to protect our clients against threats like these.
As an experienced IT professional with over twenty-three years of experience, specializing in IT remediation and data systems recovery, Chris Pacenza serves as Associate Director of BreachQuest’s Recovery & Remediation (R&R) team. He is responsible for managing their industry-leading onsite and remote teams, which includes efficiently rebuilding and restoring a client’s digital environment after a cyber incident.