The publications are suspended, except for particular events, from 1 to 21 August. In the meantime, we are preparing some news for the second half of the year.
Russia uses 3 new malware for cyber warfare against Ukraine: They are IsaacWiper, HermeticWizard and HermeticRansom
Russia’s cyber warfare is using three new “weapons” against Ukraine: the IsaacWiper, HermeticWizard and HermeticRansom malware. The CSIRT-Italia cybersecurity experts denounce this. The former, also known as Lasainraw, is distributed via “.EXE” files or “.DLL” libraries and typically stored in “% programdata%” or “C: \ Windows \ System32”. Its main peculiarities are to enumerate the physical units present on the system, to delete the first 0x10000 bytes of each detected physical disk, using the “ISAAC” pseudorandom generator, and to enumerate the logical units and to recursively delete the files contained in them by overwriting them with random bytes using the “ISAAC PRNG” algorithm. The second, aka Foxblade, is a Worm distributed via “.DLL” “Wizard.dll” files, whose main task is to distribute HermeticWiper via the “regsvr32.exe / s / i <dll_path>” command line. The main peculiarities are to find the IPs of the machines present in the local network and try to connect to the IPs detected via TCP connections on a series of ports to distribute the “wiper” via WMI or SMB protocols.
HermeticRansom is a ransomware written in GO and distributed via exe files
The third malware used by the Russian cyber warfare against Ukraine, HermeticRansom, also known as SonicVote, is written in Go and is distributed via the cc2.exe, com.exe and cpin.exe files. Moreover, strings referring to the United States have been identified within the malicious code. The ransomware, at the end of the encryption process, releases a ransom note requesting the victim to contact the attackers via email to obtain the instructions to decrypt the files.