Russia-Linked Threat Actors Deploy PathWiper Wiper Against Ukrainian Critical Infrastructure
TL;DR
A Russia-linked threat actor targeted a critical infrastructure organization in Ukraine using a new wiper malware, PathWiper. This sophisticated attack involved deploying the malware via a legitimate endpoint administration tool, showcasing advanced tactics and techniques.
Main Content
A Russia-linked threat actor has targeted Ukraine’s critical infrastructure with a novel wiper malware named PathWiper. Researchers from Cisco Talos have revealed that the attackers leveraged a legitimate endpoint administration tool, indicating they had administrative console access. This access was then used to deploy the destructive PathWiper malware. Talos attributes this attack to a Russia-linked APT group with high confidence, based on similar tactics, techniques, and procedures observed in previous attacks on Ukrainian entities.
PathWiper is a sophisticated malware designed to scan and identify all connected storage devices, including network drives. It then spawns threads to overwrite key disk artifacts and files with random data. The malware specifically targets NTFS structures such as the Master Boot Record (MBR) and Master File Table (MFT), often dismounting volumes before wiping. Similar to HermeticWiper, which is linked to Russia’s Sandworm group, PathWiper employs more precise, programmatic methods to identify and corrupt drives.
“On execution, PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly.”
According to the report published by Cisco Talos, PathWiper first gathers a list of connected storage media on the endpoint, including:
- Physical drive names
- Volume names and paths
- Network shared and unshared (removed) drive paths
Although most storage devices and volumes are discovered programmatically via APIs, the wiper also queries ‘HKEY_USERS\Network<drive_letter>| RemovePath’ to obtain the path of shared network drives for destruction. Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes.
Commands from the administrative console were executed on endpoints as BAT files, resembling Impacket-style syntax but not necessarily indicating its use. These BAT files ran a malicious VBScript (uacinstall.vbs), which dropped and executed the PathWiper payload named sha256sum.exe. The researchers speculate that the attackers mimicked legitimate admin tool behavior due to their familiarity with the tool and the target environment’s operations.
“Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment,” Talos explains.
Russia-linked APT groups have carried out multiple wiper campaigns against critical organizations in Ukraine. In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including:
- AwfulShred
- CaddyWiper
- HermeticWiper
- Industroyer2
- IsaacWiper
- WhisperGate
- Prestige
- RansomBoggs
- ZeroWipe
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
For more details, visit the full article: source
Conclusion
The deployment of PathWiper against Ukrainian critical infrastructure highlights the ongoing cyber threat posed by Russia-linked APT groups. As these threats evolve, it is crucial for organizations to stay vigilant and implement robust cybersecurity measures to protect against such sophisticated attacks.