A new data wiper malware called ‘Pathwipe’ is being used in target attacks against significant infrastructure in Ukraine, which aims to disrupt operations in the country.
The payload was deployed through a legitimate andpoint administration tool, showing that the attackers had an administrative access to the system through a pre -compromise.
Cisco Talos Researcher who Search for attack It was attributed to this with high confidence for advanced constant danger (APT) associated with Russia.
Researchers compared the pathwipar to hermaticwipar, which was previously deployed by the ‘Sandworm’ Threat Group in Ukraine, which had similar functionality.
Therefore, Pathwipar can be a development of hermeticwipar, which is used in attacks by the same or overlapping threasing cluster.
Pathwipe’s destructive capabilities
Pathwiper executes a malicious VBSCRIPT (uacinstall.vbs) on target systems through a Windows batch file, which drops in turn and executes primary payload (shak256sum.exe) (Wirstotal,
A valid administrator to detect execution mimics the behavior and names associated with the equipment.
Instead of calculating physical drives such as harmaticwipar only, the pathwipar programteically identifies all connected drives (local, network, disintegrated) on the system.
Subsequently, it abuses the Windows API to destroy the volume to prepare the API for corruption and then creates threads for each volume to reflect important NTFS structures.
The root directory of NTFS is one of the target system files:
- MBR (Master boot record): The first sector of a physical disk holding the bootloader and partition table.
- $ MFT (Master File Table): The core NTFS system file that catalogs all files and directors, including their metadata and space on the disc.
- $ Logfile: The journal is used to help with NTFS transactions logging, tracking file change, and integrity check and recovery.
- $ Boot: The file that has a boot sector and filesistum layout information.
The Pathwiper reflects the above and another five important NTFs files with random bytes, which completely neutralize the affected system.
Viewed attacks include forcible recovery or any form of financial demands, so their sole purpose is destruction and operational disruption.
Cisco Talos published file hash and snort rules, so that the danger could help and help prevent it before corrupting the drive.
Data wipers have become a powerful tool in attacks on Ukraine since the war began, the Russian danger actors usually use them to disrupt significant operations in the country.
This includes designated vipers DoublezeroCaddywiper, hermeticwiper, ishaquipper, WhipperWhispergate, and acid.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
