MAR-10376640-1.v1 – IsaacWiper and HermeticWizard

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

CISA received six files for analysis: five 32-bit Dynamic-link Library (DLL) files and one 32-bit executable file. These files have been identified as IsaacWiper and HermeticWizard. During analysis of HermeticWizard, another file was dropped and identified as HermeticWiper. The submitted files are designed to spread laterally through a network via Server Message Block (SMB) and Windows Management Instrumentation (WMI). These files attempt to overwrite the first 65536 bytes of data contained on the C:\ drive as well as any attached storage disks in order to render them useless to the victim user. The malware also creates a file and continuously writes to it until the disk runs out of free space and crashes. Upon reboot, the machine is no longer operable.

For a downloadable copy of IOCs, see: MAR-10376640-1.v1.stix.

Submitted Files (6)

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033 (Cleaner.dll)

2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b (exec_x32.dll)

5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48 (romance.dll)

a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec (Wizard.dll)

abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f (Cleaner.dll)

afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a (Cleaner.exe)

5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48

Tags

backdoortrojanwiperworm

Details

Antivirus

YARA Rules

• rule CISA_10376640_02 : trojan wiper worm HERMETICWIZARD
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10376640"
  
         Date = "2022-03-12"
  
         Last_Modified = "20220413_1300"
  
         Actor = "n/a"
  
         Category = "Trojan Wiper Worm"
  
         Family = "HERMETICWIZARD"
  
         Description = "Detects Hermetic Wizard samples"
  
         MD5_1 = "0959bf541d52b6e2915420442bf44ce8"
  
         SHA256_1 = "5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48"
  
     strings:
  
         $s0 = { 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
  
         $s1 = { 6E 00 6D 00 61 00 6E 00 73 00 65 00 72 00 76 }
  
         $s2 = { 73 61 6D 72 }
  
         $s3 = { 62 72 6F 77 73 65 72 }
  
         $s4 = { 6E 65 74 6C 6F 67 6F 6E }
  
         $s5 = { 6C 73 61 72 70 63 }
  
         $s6 = { 6E 74 73 76 63 73 }
  
         $s7 = { 73 76 63 63 74 6C }
  
         $s8 = { 73 74 61 72 74 20 63 6D 64 20 2F 63 20 22 70 69 6E 67 20 6C 6F 63 61 6C 68 6F 73 74 }
  
         $s9 = { 67 00 75 00 65 00 73 00 74 }
  
         $s10 = { 74 00 65 00 73 00 74 }
  
         $s11 = { 75 00 73 00 65 00 72 }
  
         $s12 = { 61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F }
  
         $s13 = { 51 00 61 00 7A 00 31 00 32 00 33 }
  
         $s14 = { 51 00 77 00 65 00 72 00 74 00 79 00 31 00 32 }
  
         $s15 = { 63 6D 64 20 2F 63 20 73 74 61 72 74 20 72 65 67 }
  
     condition:
  
         all of them
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This application is a 32-bit DLL and has been identified as HermeticWizard. A filename is generated for the malware using the string 'c%02X%02X%02X%02X%02X%02X', which will create a random set of 12 characters, 6 hex bytes beginning with 'c'. The purpose of the DLL is to spread to other machines over the SMB protocol to the Admin Share (IPC$). The malware attempts to authenticate through SMB using a set of hard-coded usernames and passwords.



--Begin Usernames--

guest

test

admin

user

root

administrator

manager

operator

--End Usernames--



--Begin Passwords--

123

Qaz123

Qwerty123

--End Passwords--



The malware is designed to use the command-line parameters below for execution:



--Begin command-line--

cmd /c start regsvr32.exe /s /i..\\<malicious DLL>

& start cmd /c "ping localhost -n 7 & wevtutil cl System

--End command-line--

Screenshots

2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b

Tags

backdoortrojanwiperworm

Details

Antivirus

YARA Rules

• rule CISA_10376640_03 : trojan wiper worm HERMETICWIZARD
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10376640"
  
         Date = "2022-03-13"
  
         Last_Modified = "20220413_1300"
  
         Actor = "n/a"
  
         Category = "Trojan Wiper Worm"
  
         Family = "HERMETICWIZARD"
  
         Description = "Detects Hermetic Wizard samples"
  
         MD5_1 = "58d71fff346017cf8311120c69c9946a"
  
         SHA256_1 = "2d29f9ca1d9089ba0399661bb34ba2fd8aba117f04678cd71856d5894aa7150b"
  
     strings:
  
         $s0 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
  
         $s1 = { 5C 00 5C 00 25 00 73 00 5C 00 70 00 69 00 70 00 65 00 5C 00 25 00 73 }
  
         $s2 = { 64 00 6C 00 6C 00 00 00 2D 00 69 }
  
         $s3 = { 2D 00 68 00 00 00 00 00 2D 00 73 }
  
         $s4 = { 2D 00 63 00 00 00 00 00 2D 00 61 }
  
         $s5 = { 43 6F 6D 6D 61 6E 64 4C 69 6E 65 54 6F 41 72 67 76 57 }
  
     condition:
  
         all of them
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This is a 32-bit DLL file. This DLL spreads laterally through the network via the WMI protocol. The malware copies a file over to the target machine for execution. This copied filename is generated using the string 'c%02X%02X%02X%02X%02X%02X' which will create a random set of 12 characters, 6 hex bytes beginning with 'c'. The copied file has been identified as HermeticWizard. The malware identifies a running process with a desired authority and uses the token for impersonation to create a new process and service to launch the copied file.



--Begin command-line--

cmd /c start

regsvr32.exe /s /i <malicious DLL path>

--End command-line--

Screenshots

a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec

Tags

backdoortrojanworm

Details

Antivirus

YARA Rules

• rule CISA_10376640_05 : trojan wiper worm HERMETICWIZARD
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10376640"
  
         Date = "2022-04-14"
  
         Last_Modified = "20220414_1037"
  
         Actor = "n/a"
  
         Category = "Trojan Wiper Worm"
  
         Family = "HERMETICWIZARD"
  
         Description = "Detects Hermetic Wizard samples"
  
         MD5_1 = "517d2b385b846d6ea13b75b8adceb061"
  
         SHA256 = "a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec"
  
     strings:
  
         $s0 = { 57 69 7A 61 72 64 2E 64 6C 6C }
  
         $s1 = { 69 6E 66 6C 61 74 65 }
  
         $s2 = { 4D 61 72 6B 20 41 64 6C 65 72 }
  
     condition:
  
         all of them and filesize < 2000KB
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Relationships

Description

This is a 32-bit DLL and has been identified as HermeticWizard. The original filename for the DLL is Wizard.dll. It is designed to use the command-line parameters below for execution:



--Begin command-line--

regsvr32.exe /s /i <malicious DLL path>

--End command-line--



The application contains three 32-bit encrypted binaries that are decrypted and installed into the current directory at runtime.



--Begin files--

%current directory%\exec_x32.dll

%current directory%\romance.dll

%current directory%\<6 randomly generated alphanumerical characters>.ocx

--End files--



At runtime, it attempts to detect all active hosts on the victim's network. It is capable of moving laterally across the network by actively scanning ranges of reachable IP version 4 addresses and ports. It is designed to create and connect to multiple name pipes.



Displayed below are the list of port numbers it attempts to connect to.



--Begin port numbers--

20

21

22

80

135

137

139

443

445

--End port numbers--



Once an active host (system) is found, it attempts to execute the command-line below to move to the reachable machine:



--Begin command--

"C:\Windows\System32\rundll32.exe %current directory%\<6 randomly generated alphanumerical characters>.ocx #1 -s <path to Wizard.dll> – i <reachable system IP address>"

--End command--



It executes the file <6 randomly generated alphanumerical characters>.ocx binary to wipe the drive. This OLE Control Extension (OCX) file has been identified as HermeticWiper. The SHA256 of the OCX file is 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da. Note: Analysis of this file is included in MAR-10375867.r1.v1.WHITE.

Screenshots

abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f

Tags

trojan

Details

Antivirus

YARA Rules

• rule CISA_10376640_01 : trojan wiper ISAACWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10376640"
  
         Date = "2022-03-14"
  
         Last_Modified = "20220418_1900"
  
         Actor = "n/a"
  
         Category = "Trojan Wiper"
  
         Family = "ISAACWIPER"
  
         Description = "Detects ISACC Wiper samples"
  
         MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
  
         SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
  
         MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
  
         SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
  
         MD5_3 = "ecce8845921a91854ab34bff2623151e"
  
         SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
  
     strings:
  
         $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
  
         $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
  
         $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
  
         $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
  
         $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
  
         $s5 = {53 74 61 72 74 40 34}
  
         $s6 = {3B 57 34 74 2D 6A}
  
         $s7 = {43 6C 65 61 6E 65 72 2E}
  
     condition:
  
         all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Description

Cleaner.dll is a 32-bit DLL which has been identified as a variant of the IsaacWiper. It attempts to overwrite the first 65536 bytes of data on the C:\ drive and on attached storage disks in order to render them useless to the victim user. The malware also overwrites the victim user's files so they cannot be recovered. The data used to overwrite the disk drives and user files is random data that is generated via the Mersenne Twister algorithm.



Cleaner.dll also attempts to create a directory in the root directory of attached storage disks. The malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the Mersenne Twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. The name of the folder created will begin with the letters "Tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. The filename created will begin with the letters "Tmf" and the remaining part of the filename will be randomly generated alphanumerical characters.

Displayed below is the format of the file installed:



--Begin file--

Filename: "C:\'Tmd[4 randomly generated characters]\Tmf[4 randomly generated alphanumerical characters].tmp"

Sample: "C:\Tmd21D9.tmp\Tmf1E9E.tmp"

--End file--



Analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine.

Screenshots

afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a

Tags

trojan

Details

Antivirus

YARA Rules

• rule CISA_10376640_01 : trojan wiper ISAACWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10376640"
  
         Date = "2022-03-14"
  
         Last_Modified = "20220418_1900"
  
         Actor = "n/a"
  
         Category = "Trojan Wiper"
  
         Family = "ISAACWIPER"
  
         Description = "Detects ISACC Wiper samples"
  
         MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
  
         SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
  
         MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
  
         SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
  
         MD5_3 = "ecce8845921a91854ab34bff2623151e"
  
         SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
  
     strings:
  
         $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
  
         $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
  
         $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
  
         $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
  
         $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
  
         $s5 = {53 74 61 72 74 40 34}
  
         $s6 = {3B 57 34 74 2D 6A}
  
         $s7 = {43 6C 65 61 6E 65 72 2E}
  
     condition:
  
         all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Description

Cleaner.exe is a 32-bit executable file (EXE) which has been identified as another variant of the IsaacWiper. It can be executed immediately or has a sleep function for 15 minutes. When executed, it attempts to overwrite the first 65536 bytes of data contained on the C:\ drive and on attached storage disks in order to render them useless to the victim user. The malware also overwrites the victim user's files so they cannot be recovered. The data used to overwrite the disk drives and user files is random data that is generated via the Mersenne Twister algorithm.



Cleaner.exe also attempts to create a directory in the root directory of attached storage disks. The malware will then create a file within this newly created directory and attempt to fill it with random data, generated via the Mersenne Twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. The name of the folder created will begin with the letters "Tmd" and the remaining part of the folder name will be randomly generated alphanumerical characters. The filename created will begin with the letters "Tmf" and the remaining part of the filename will be randomly generated alphanumerical characters.

Displayed below is the format of the file installed:



--Begin file--

Filename: "C:\'Tmd[4 randomly generated characters]\Tmf[4 randomly generated alphanumerical characters].tmp"

Sample: "C:\Tmd21D9.tmp\Tmf1E9E.tmp"

--End file--



Analysis indicates that the application fails to execute if the above tmp file already exists on the victim's machine.

Screenshots

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

Tags

backdoortrojanviruswiper

Details

Antivirus

YARA Rules

• rule CISA_10376640_01 : trojan wiper ISAACWIPER
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10376640"
  
         Date = "2022-03-14"
  
         Last_Modified = "20220418_1900"
  
         Actor = "n/a"
  
         Category = "Trojan Wiper"
  
         Family = "ISAACWIPER"
  
         Description = "Detects ISACC Wiper samples"
  
         MD5_1 = "aa98b92e3320af7a1639de1bac6c17cc"
  
         SHA256_1 = "abf9adf2c2c21c1e8bd69975dfccb5ca53060d8e1e7271a5e9ef3b56a7e54d9f"
  
         MD5_2 = "8061889aaebd955ba6fb493abe7a4de1"
  
         SHA256_2 = "afe1f2768e57573757039a40ac40f3c7471bb084599613b3402b1e9958e0d27a"
  
         MD5_3 = "ecce8845921a91854ab34bff2623151e"
  
         SHA256_3 = "13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033"
  
     strings:
  
         $s0 = { 73 00 74 00 61 00 72 00 74 00 20 00 65 00 72 00 61 00 73 00 69 00 6E 00 67 }
  
         $s1 = { 6C 00 6F 00 67 00 69 00 63 00 61 00 6C }
  
         $s2 = { 46 00 41 00 49 00 4C 00 45 00 44 }
  
         $s3 = { 5C 00 6C 00 6F 00 67 00 2E 00 74 00 78 00 74 }
  
         $s4 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }
  
         $s5 = {53 74 61 72 74 40 34}
  
         $s6 = {3B 57 34 74 2D 6A}
  
         $s7 = {43 6C 65 61 6E 65 72 2E}
  
     condition:
  
         all of ($s0,$s1,$s2,$s3,$s4) or all of ($s5,$s6,$s7)
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Packers/Compilers/Cryptors

Description

This application is a 32-bit DLL which has been identified as another variant of the IsaacWiper. It attempts to overwrite the first 65536 bytes of data on the C:\ drive and on attached storage disks in order to render them useless to the victim user. The malware also overwrites the victim user's files so they cannot be recovered. The data used to overwrite the disk drives and user files is random encrypted data that is generated via the Mersenne Twister algorithm.



The malware also attempts to create a directory in the root directory of attached storage disks. The malware will then create a file within this newly created directory and attempt to fill it with random encrypted data, generated via the Mersenne Twister algorithm, in an effort to fill the drive up as another destructive method of rendering the storage device unusable to the victim user. The name of the folder created will begin with the letters "Tmd" and the remaining part of the folder name will be random. The filename created will begin with the letters "Tmf" and the remaining part of the folder name will be random.



This malware creates a log file in the location C:\ProgramData\log.txt. This file logs the malware's process of systematically corrupting the victim user storage disks. Illustrated below is sample data the malware recorded to its log file during runtime:



--Begin log.txt Data--



getting drives...



physical drives:

-- system physical drive 0: PhysicalDrive0



logical drives:

-- system logical drive: C:

-- logical drive: D:



start erasing system physical drive...



system physical drive -- FAILED

start erasing system logical drive C:



--End log.txt Data--

Screenshots

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Central (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.