HermeticWizard

HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[1]

ID: S0698
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 25 March 2022
Last Modified: 11 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1110 .001 Brute Force: Password Guessing

HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

HermeticWizard can use cmd.exe for execution on compromised hosts.[1]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

HermeticWizard has the ability to use wevtutil cl system to clear event logs.[1]

Enterprise T1559 .001 Inter-Process Communication: Component Object Model

HermeticWizard can execute files on remote machines using DCOM.[1]

Enterprise T1570 Lateral Tool Transfer

HermeticWizard can copy files to other machines on a compromised network.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll.[1]

Enterprise T1106 Native API

HermeticWizard can connect to remote shares using WNetAddConnection2W.[1]

Enterprise T1046 Network Service Discovery

HermeticWizard has the ability to scan ports on a compromised network.[1]

Enterprise T1027 Obfuscated Files or Information

HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.[1]

Enterprise T1018 Remote System Discovery

HermeticWizard can find machines on the local network by gathering known local IP addresses through DNSGetCacheDataTable, GetIpNetTable,WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY),NetServerEnum,GetTcpTable, and GetAdaptersAddresses.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.[1]

Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

HermeticWizard has used regsvr32.exe /s /i to execute malicious payloads.[1]

.011 System Binary Proxy Execution: Rundll32

HermeticWizard has the ability to create a new process using rundll32.[1]

Enterprise T1569 .002 System Services: Service Execution

HermeticWizard can use OpenRemoteServiceManager to create a service.[1]

Enterprise T1047 Windows Management Instrumentation

HermeticWizard can use WMI to create a new process on a remote machine via C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll.[1]

References