HermeticWizard

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
HermeticWizard is a malicious software (malware) that emerged as part of a series of cyber-attacks against Ukraine since January 2022. The malware operates alongside other destructive programs such as HermeticWiper, IsaacWiper, and CaddyWiper, with additional Indicators of Compromise (IOCs) for WhisperGate identified. HermeticWizard is a custom worm used to propagate HermeticWiper within local networks, while HermeticRansom functions as decoy ransomware. This information was updated in an advisory on April 28, 2022. HermeticWizard employs several techniques to infiltrate and spread across local networks. It uses Distributed Component Object Model (DCOM) and Windows Management Instrumentation (WMI) for remote services, enabling the malware to remotely start new processes. It also leverages Server Message Block (SMB) or Windows Admin Shares for lateral movement, allowing it to spread further into local computers. Additionally, HermeticWizard scans local IP ranges for system discovery to identify potential targets within the network. The technical details of HermeticWizard, along with IsaacWiper, can be referred to in MAR-10376640.r1.v1. A hunting rule named "Hermetica Cert" has been established based on the certificate used in both HermeticWiper and HermeticWizard, providing a broad scope for detecting potential threats. The signature 3C54C9A49A8DDCA02189FE15FEA52FE24F41A86F c9EEAF78C9A12.dat Win32/GenCBL.BSP is associated with HermeticWizard, indicating its presence during system scans.
What's your take? (Question 1 of 2)
9b6f3c33-7722-4ce7-a0a7-33a99531d912 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Worm
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HermeticWiperUnspecified
2
HermeticWiper is a destructive malware that was first identified in cyber attacks against organizations in Ukraine on February 23, 2022. It was disclosed by several cybersecurity researchers including SentinelLabs, a leading cybersecurity firm. This malware is designed to infiltrate and destroy comp
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the HermeticWizard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine | WeLiveSecurity
MITRE
a year ago
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
ESET
a year ago
A year of wiper attacks in Ukraine | WeLiveSecurity
MITRE
a year ago
Update: Destructive Malware Targeting Organizations in Ukraine | CISA
MITRE
a year ago
CaddyWiper: New wiper malware discovered in Ukraine | WeLiveSecurity