(ESET) A custom worm that we have named HermeticWizard was used to spread {{HermeticWiper}} across the compromised networks via SMB and WMI.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-10-24 by Alexander Adamov from Youtube (Virus Bulletin)
2022-04-07 by Will MacArthur from InQuest
2022-03-14 by GReAT from Kaspersky
2022-03-12 by ET Labs from Twitter (@ET_Labs)
2022-03-10 by Costin Raiu from BrightTALK (Kaspersky GReAT)
2022-03-09 by Silas Cutler from Twitter (@silascutler)
Tool: HermeticWizard
Names: HermeticWizard
Description: (ESET) A custom worm that we have named HermeticWizard was used to spread {{HermeticWiper}} across the compromised networks via SMB and WMI.
Category: Malware
Type: Worm
Information: https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
Mitre-attack: https://attack.mitre.org/software/S0698/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.hermeticwizard
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL hermeticwizard can use cmd.exe for execution on compromised hosts. T1559.001 INTER-PROCESS COMMUNICATION : COMPONENT OBJECT MODEL hermeticwizard can execute files on remote machines using dcom. T1569.002 SYSTEM SERVICES : SERVICE EXECUTION hermeticwizard can use openremoteservicemanager to create a service. T1047 WINDOWS MANAGEMENT INSTRUMENTATION hermeticwizard can use wmi to create a new process on a remote machine via c:\windows\system32\cmd.exe /c start c:\windows\system32\\regsvr32.exe /s /ic:\windows\<filename>.dll. | T1070.001 INDICATOR REMOVAL : CLEAR WINDOWS EVENT LOGS hermeticwizard has the ability to use wevtutil cl system to clear event logs. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION hermeticwizard has been named exec_32.dll to mimic a legitimate ms outlook .dll. T1027 OBFUSCATED FILES OR INFORMATION hermeticwizard has the ability to encrypt pe files with a reverse xor loop. T1553.002 SUBVERT TRUST CONTROLS : CODE SIGNING hermeticwizard has been signed by valid certificates assigned to hermetica digital. T1218.010 SYSTEM BINARY PROXY EXECUTION : REGSVR32 hermeticwizard has used regsvr32.exe /s /i to execute malicious payloads. T1218.011 SYSTEM BINARY PROXY EXECUTION : RUNDLL32 hermeticwizard has the ability to create a new process using rundll32. | T1110.001 BRUTE FORCE : PASSWORD GUESSING hermeticwizard can use a list of hardcoded credentials in attempt to authenticate to smb shares. | T1046 NETWORK SERVICE DISCOVERY hermeticwizard has the ability to scan ports on a compromised network. T1018 REMOTE SYSTEM DISCOVERY hermeticwizard can find machines on the local network by gathering known local ip addresses through dnsgetcachedatatable, getipnettable,wnetopenenumw(resource_globalnet, resourcetype_any),netserverenum,gettcptable, and getadaptersaddresses. | T1021.002 REMOTE SERVICES : SMB/WINDOWS ADMIN SHARES hermeticwizard can use a list of hardcoded credentials to to authenticate via ntlmssp to the smb shares on remote systems. |