IsaacWiper, the third wiper spotted since the beginning of the Russian invasion

Malware Symbiote Malware

IsaacWiper, a new Russian data wiper

The wiper was first spotted on February 24 within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which infected hundreds of machines in the country on February 23. According to cybersecurity firms ESET and Broadcom’s Symantec discovered, the infections followed the DDoS attacks against several Ukrainian websites, including Ministry of Foreign Affairs, Cabinet of Ministers, and Rada.

Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1/n— ESET research (@ESETresearch) February 23, 2022The researchers have yet to attribute IsaacWiper to a certain threat actor.The first sample of the wiper was observed by ESET yesterday around 14h52 UTC (16h52 local time), but more interesting is the PE compilation timestamp of one of the samples which is 2021-12-28, suggesting that the cyber attack might have been in preparation for almost two months.

IsaacWiper looks like Windows DLL or EXE with no Authenticode signature

The oldest PE compilation timestamp discovered by ESET is October 19th, 2021, a circumstance that suggests that the malware might have been used in previous operations months earlier without being detected.

IsaacWiper and HermeticWiper have no code similarities, the former is less sophisticated than the latter.

Once infected a system, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator.

Then the malware enumerates the logical drives and wipes the content of each disk with random bytes also generated by the ISAAC PRNG. Experts pointed out that the malware recursively wipes the files in a single thread, but the process could be time-consuming for large disks.

ESET reported that threat actors on February 25 used the IsaacWiper version with debug logs.

Researchers speculate attackers were unable to wipe some of the targeted machines and used logs to determine which problem took place.

“At this point, we have no indication that other countries were targeted.” concludes the analysis published by ESET. “However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.”

The post IsaacWiper, the third wiper spotted since the beginning of the Russian invasion appeared first on Security Affairs.