Cisco Talos has uncovered a classy and harmful cyberattack focusing on a vital infrastructure entity in Ukraine, deploying a beforehand unknown wiper malware dubbed “PathWiper.”
This assault, attributed with excessive confidence to a Russia-nexus superior persistent menace (APT) actor, showcases the persistent and evolving menace to Ukrainian vital infrastructure amid the continued Russia-Ukraine battle.
The attackers exploited a respectable endpoint administration framework, doubtless having access to the executive console to subject malicious instructions and deploy PathWiper throughout related endpoints.
This method demonstrates a deep understanding of the sufferer’s setting and the executive instruments used inside it, highlighting the calculated and insidious nature of the marketing campaign.
A Harmful Assault on Ukrainian Infrastructure
The techniques, strategies, and procedures (TTPs) noticed on this assault, together with the wiper’s capabilities, bear putting similarities to earlier harmful malware campaigns focusing on Ukrainian entities, additional solidifying the attribution to Russian-aligned menace actors.
The assault’s execution relied on a multi-stage course of designed to mix in with respectable operations.
Instructions issued from the compromised administrative console have been obtained by endpoint purchasers and executed as batch (BAT) recordsdata, with command strains partially mimicking these of Impacket, although not essentially indicating its presence.
These BAT recordsdata triggered a malicious VBScript named ‘uacinstall.vbs,’ which was pushed to endpoints through the console and executed utilizing WScript.exe.
This script, in flip, deployed the PathWiper executable, disguised as ‘sha256sum.exe,’ to wreak havoc on the system.
The usage of filenames and actions mimicking the executive utility’s anticipated habits means that the attackers possessed prior data of the console’s performance inside the focused enterprise, enabling them to function covertly.
PathWiper’s Subtle Deployment
As soon as activated, PathWiper displays devastating capabilities aimed toward rendering techniques inoperable.
It systematically gathers info on related storage media, together with bodily drive names, quantity paths, and network-shared drive areas, even querying registry keys to establish eliminated community drive paths for destruction.
The malware spawns particular person threads for every drive and quantity, overwriting vital file system artifacts such because the Grasp Boot File (MBR), $MFT, $LogFile, and different NTFS constructions with randomly generated information.
In contrast to earlier wipers like HermeticWiper, which focused Ukrainian entities in 2022 and is linked to Russia’s Sandworm group, PathWiper employs a extra refined method by programmatically figuring out and verifying related drives quite than blindly enumerating them.
In response to the Report, This precision, mixed with efforts to dismount volumes utilizing FSCTL_DISMOUNT_VOLUME IOCTL, underscores the malware’s superior design for optimum disruption.
Whereas sharing semantic similarities with HermeticWiper in corrupting core disk constructions, PathWiper’s nuanced focusing on of verified drives units it aside as a formidable evolution in wiper malware know-how.
The broader implications of this assault are alarming, because the continued improvement of wiper variants like PathWiper indicators an unrelenting concentrate on crippling Ukrainian infrastructure.
Organizations within the area, and past, should prioritize strong endpoint safety, administrative entry controls, and menace monitoring to mitigate such threats.
Cisco Talos’s findings function a vital reminder of the high-stakes cyber warfare panorama and the pressing want for vigilance in opposition to state-sponsored APT actors.
Indicators of Compromise (IOCs)
| Indicator | Sort |
|---|---|
| 7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3 | File Hash (SHA-256) |
To Improve Your Cybersecurity Expertise, Take Diamond Membership With 150+ Sensible Cybersecurity Programs On-line – Enroll Right here
