Slide 1
Slide 1 text
@F
rØgger_
Thomas Roccia
Overview of HermeticWiper
Initial entry point and deployment
Exchange Server
Compromised Tomcat Exploit PowerShell for post
compromission
Conhosts.exe
(Wiper Loader)
Name: Hermetica Digital Ltd
:Status: Valid
Issuer: DigiCert EV Code Signing CA (SHA2)
Valid From: 12:00 AM 04/13/2021
Valid To: 11:59 PM 04/14/2022
Valid Usage: Code Signing
Algorithm: sha256RSA
Thumbprint: 1AE7556DFACD47D9EFBE79BE974661A5A6D6D923
Serial Number: 0C48732873AC8CCEBAF8F0E1E8329CEC
Certificate
MBR and Partition corruptions
Bytes overwriting
Anti-forensic
Check OS Architecture and drop the resource
accordingly
RCDATA Resource MS compress: “empntdrv.sys“
• DRV_X64: Windows 7+ 6’ bits
• DRV-X86: Windows 7+ 32 bits
• DRV_XP_X64: Windows XP 64 bits
• DRV_XP_X86: Windows XP 32 bits
Disable VSS Service if enabled
Webshell
• Set Registry key SYSTEM\\CurrentControlSet\\Control\CrashControl\
CrashDumpEnabled = 0 to avoid that no file are written when the
system terminates abnormally.
• Delete the service registry key previously created to run the driver:
SYSTEM\CurrentControlSet\\Services\
• Disables ShowCompColor and ShowInfoTip in all HKEY_USERS
registry:
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowCompColor = 0
ShowInfoTip = 0
Drop the driver into C:\Windows\system32\Drivers\dr.sys
Load the driver using SeLoadDriverPrivilege
Run the driver as a service using API OpenSCManagerW(), OpenServiceW(),
CreateServiceW() and StartServiceW()
• Creates named pipe \\\\.\\EPMNTDRV\\%u for driver com
• Get handle from the function DeviceIoControl with IoControlCode
0x560000 (IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS) to get
the device number.
$LOGFILE log file containing all actions performed on the volume.
$I30 Windows NTFS Index Attribute
$ATTRIBUTE_LIST Lists the location of all attribute records that do not fit in
the MFT record
$EA Extended the attribute index
$EA_INFORMATION Extended attribute information
$SECURITY_DESCRIPTOR Security descriptor stores ACL and SIDs
$DATA Contains the default file data
$INDEX_ROOT Used to support folders and other indexes
$INDEX_ALLOCATION The type name for a Directory Stream. A string for the
attribute code for index allocation
$BITMAP A bitmap index for a large directory.
$REPARSE_POINT Used for volume mount points
$LOGGED_UTILITY_STREAM Use by the encrypting file system
IMPACT
Enumerates Windows files, Event Logs and Windows
Restaure Points
• “My Documents”, “Desktop”, “AppData”
• "\\\\?\\C:\\Windows\\System32\\winevt\\Logs")
• "C:\System Volume Information"
EaseUS driver
Get privileges:
• SeShutdownPrivilege
• SeBackupPrivilege
• SeLoadDriverPrivilege
Get MFT and NTFS Attributes
Sample Analyzed:
SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
External Sources:
https://gist.github.com/fr0gger/7882fde2b1b271f9e886a4a9b6fb6b7f
Deployment via GPO
Rev: Version 2