IsaacWiper, the third wiper spotted since the beginning of the Russian invasion

2 years ago 122
BOOK THIS SPACE FOR AD
ARTICLE AD

IsaacWiper, a new data wiper was used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.

ESET researchers uncovered a new data wiper, tracked as IsaacWiper, that was used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.

The wiper was first spotted on February 24 within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which infected hundreds of machines in the country on February 23. According to cybersecurity firms ESET and Broadcom’s Symantec discovered, the infections followed the DDoS attacks against several Ukrainian websites, including Ministry of Foreign Affairs, Cabinet of Ministers, and Rada.

Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n

— ESET research (@ESETresearch) February 23, 2022

The researchers have yet to attribute IsaacWiper to a certain threat actor.

IsaacWiper

IsaacWiper was spotted in the form of either a Windows DLL or EXE with no Authenticode signature; 

The oldest PE compilation timestamp discovered by ESET is October 19th, 2021, a circumstance that suggests that the malware might have been used in previous operations months earlier without being detected.

IsaacWiper and HermeticWiper have no code similarities, the former is less sophisticated than the latter.

Once infected a system, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator.

Then the malware enumerates the logical drives and wipes the content of each disk with random bytes also generated by the ISAAC PRNG. Experts pointed out that the malware recursively wipes the files in a single thread, but the process could be time-consuming for large disks.

ESET reported that threat actors on February 25 used the IsaacWiper version with debug logs.

Researchers speculate attackers were unable to wipe some of the targeted machines and used logs to determine which problem took place.

“At this point, we have no indication that other countries were targeted.” concludes the analysis published by ESET. “However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IsaacWiper)

Read Entire Article