Cybersecurity organizations have recently discovered a new data wiper employed in devastating attacks against Ukrainian networks, precisely as Russia sends soldiers into Ukraine’s eastern territories. A data wiper is a type of malware that deletes data on a device to render it unrecoverable and cause the operating system to malfunction.
Cybersecurity organizations Symantec and ESET found the new data wiper. They both claim that the malware has been used in recent attacks. While Symantec has simply published the hash of the new data-wiper, which is only being identified by 12/70 security engines on VirusTotal, ESET has tweeted a thread with a lot more information.
According to ESET, the latest data wiper was recognized as Win32/KillDisk.NCV, and was installed on hundreds of devices on Ukrainian networks. ESET also noted that the malware was created on 12/28/21. It indicates that the attacks were likely planned ahead of time.
“The PE compilation timestamp of one of the sample is 2021-12-28, suggesting that the attack might have been in preparation for almost two months,” tweeted ESET.
According to an investigation of the malware, the wiper has four embedded drivers named DRV_X64, DRV_X86, DRV_XP_X64, and DRV_XP_X86. These are compressed with the Windows ‘compress’ command’s help. But once expanded, they are signed by the proprietors of the EASUS data recovery and disk management software, ‘CHENGDU YIWO Tech Development Co., Ltd.’
The wiper will create a new Windows service for one of these drivers when the malware is run. The EASUS Partition Manager application is indicated via strings inside the drivers. ESET suspects that these EASUS drivers have been tampered with to damage the device’s data before rebooting the system.
Silas Cutler, a security researcher, verified that the data wiper would also delete the device’s Master Boot Record, rendering it unbootable. At least one of these cyberattacks, according to ESET, was not targeted at particular machines and was instead launched straight from the Windows domain controller. This suggests that the threat actors had long had access to these networks.
The specifics of this new data wiper are still being worked out, and you’ll be updated as more information becomes available. However, anyone interested in further technical specifics can follow the analysis of SentinelOne researcher J. A. Guerrero-Saade on Twitter.