In the present analysis, some of the most widespread Wiper malware was considered.
Important elements of the analysis:
- Analysis of the most peculiar characteristics of the wipers examined
- Analysis of the extracted strings
- Analysis of the masquerading peculiarities of certain samples
- Analysis of the differences between the samples examined
- Analysis of some credential discovery functions performed
- Analysis of loop instructions and files gathering
- Disassembling of the samples under examination, highlighting some register operations
- Analysis of packing and entropy conditions
- Analysis of WhisperGate, which has ransomware masquerading characteristics
Recently, a new threat is posing a serious risk to the cybersecurity of companies and administrations around the world: these are “Wiper” malware, which are designed to erase data on infected computer systems, causing irreparable damage to business operations and public institutions.
The first case of wiper infection was observed in 2012 and affected Iran’s Ministry of Petroleum. One of the most widespread attacks, however, was in June 2017 with the infamous wave of NotPetya infections. The damage was later estimated at more than $10 billion. Several organizations and critical infrastructures in Ukraine were affected by this wave of NotPetya, including radiation monitoring systems at the nuclear power plant in Chernobyl.
Notably, on Feb. 24, 2022, the wiper called AcidRain was used in a cyber attack against Viasat’s satellite Internet service, affecting several countries, including Italy.
SwiftSlicer, discovered by Fortinet researchers on Jan. 25, 2023, was used to conduct a cyber attack on Ukrainian infrastructure. This virus does not target ransom or monetization, but only data destruction and sabotage of computer systems.
The day before the invasion of Ukraine by Russian forces on February 24, 2022, a new wiper unleashed against a number of Ukrainian entities, known as “HermeticWiper,” was discovered based on a digital certificate stolen from a company called Hermetica Digital Ltd.