IsaacWiper, the third wiper spotted since the beginning of the Russian invasion

IsaacWiper, a new data wiper was used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.

ESET researchers uncovered a new data wiper, tracked as IsaacWiper, that was used against an unnamed Ukrainian government network after Russia’s invasion of Ukraine.

The wiper was first spotted on February 24 within an organization that was not infected with the HermeticWiper malware (aka KillDisk.NCV), which infected hundreds of machines in the country on February 23. According to cybersecurity firms ESET and Broadcom’s Symantec discovered, the infections followed the DDoS attacks against several Ukrainian websites, including Ministry of Foreign Affairs, Cabinet of Ministers, and Rada.

The researchers have yet to attribute IsaacWiper to a certain threat actor.The first sample of the wiper was observed by ESET yesterday around 14h52 UTC (16h52 local time), but more interesting is the PE compilation timestamp of one of the samples which is 2021-12-28, suggesting that the cyber attack might have been in preparation for almost two months.

IsaacWiper was spotted in the form of either a Windows DLL or EXE with no Authenticode signature; 

The oldest PE compilation timestamp discovered by ESET is October 19^th, 2021, a circumstance that suggests that the malware might have been used in previous operations months earlier without being detected.

IsaacWiper and HermeticWiper have no code similarities, the former is less sophisticated than the latter.

Once infected a system, IsaacWiper starts by enumerating the physical drives and calls DeviceIoControl with the IOCTL IOCTL_STORAGE_GET_DEVICE_NUMBER to get their device numbers. Then IsaacWiper wipes the first 0x10000 bytes of each disk using the ISAAC pseudorandom generator.

Then the malware enumerates the logical drives and wipes the content of each disk with random bytes also generated by the ISAAC PRNG. Experts pointed out that the malware recursively wipes the files in a single thread, but the process could be time-consuming for large disks.

ESET reported that threat actors on February 25 used the IsaacWiper version with debug logs.

Researchers speculate attackers were unable to wipe some of the targeted machines and used logs to determine which problem took place.

“At this point, we have no indication that other countries were targeted.” concludes the analysis published by ESET. “However, due to the current crisis in Ukraine, there is still a risk that the same threat actors will launch further campaigns against countries that back the Ukrainian government or that sanction Russian entities.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IsaacWiper)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On