ESET details new IsaacWiper malware used on Ukraine

Malware experts at ESET have shared details of a second new wiper malware that was used in a cyber attack against an undisclosed organisation in Ukraine as the Russian invasion unfolded late last week.

IsaacWiper first appeared in ESET’s telemetry on 24 February and was used on Friday 25 February against an undisclosed government network in Ukraine. The attackers leveraged RemCom, a remote access took, and Impacket for lateral movement within the network. The oldest portable executable (PE) compilation timestamp associated with it was 19 October 2021, which suggests it may have been used in other operations.

Later, on 26 February, IsaacWiper’s operator dropped a new version incorporating debug logs, which ESET threat research head Jean-Ian Boutin said may be an indication that the initial attack failed to wipe some of the targeted machines, and the operators wanted to understand why it had failed.

Boutin and his team declined to attribute IsaacWiper to any known actor as it lacks code similarity to other known malware samples.

However, its use follows a series of cyber attacks beginning on 23 February, immediately prior to the Russian invasion, using a similarly destructive wiper malware called HermeticWiper – with a PE compilation timestamp of 28 December 2021 – that was deployed against targets in Ukraine.

Again, it is unclear if there is any link between the two malwares – what is known is that IsaacWiper is much less sophisticated than HermeticWiper.

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper. It is important to note that it was seen in a Ukrainian governmental organisation that was not affected by HermeticWiper,” said Boutin.

“This is based on several facts: the HermeticWiper PE compilation timestamps, the oldest being December 28, 2021; the code-signing certificate issue date of April 13, 2021; and the deployment of HermeticWiper through the default domain policy in at least one instance, suggesting the attackers had prior access to one of that victim’s Active Directory servers.”

Bearing distinct similarities to the WhisperGate malware used against Ukraine in recent weeks, HermeticWiper was naturally swiftly linked to Russian threat actors. It contains three distinct components: HermeticWiper for wiping data, HermeticWizard for lateral movement, and HermeticRansom to act as a decoy ransomware.

Previous assessments of HermeticWiper suggested its code signing certificate had been stolen from a Cyprus-based company called Hermetica Digital, but further analysis now suggests this is not the case – rather the attackers may have impersonated Hermetica Digital to defraud DigiCert out of a legitimate certificate. This has since been revoked.

Further details of both malwares, including indicators of compromise (IOCs) and Mitre ATT&CK techniques, are available from ESET.

As far as cyber attacks beyond Ukraine’s borders are concerned, Boutin and his team said they have no evidence that any other countries have been targeted with either HermeticWiper or IsaacWiper.

However, they added: “Due to the current crisis…there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.”