HermeticWizard

HermeticWizard is a malicious software (malware) that emerged as part of a series of cyber-attacks against Ukraine since January 2022. The malware operates alongside other destructive programs such as HermeticWiper, IsaacWiper, and CaddyWiper, with additional Indicators of Compromise (IOCs) for WhisperGate identified. HermeticWizard is a custom worm used to propagate HermeticWiper within local networks, while HermeticRansom functions as decoy ransomware. This information was updated in an advisory on April 28, 2022. HermeticWizard employs several techniques to infiltrate and spread across local networks. It uses Distributed Component Object Model (DCOM) and Windows Management Instrumentation (WMI) for remote services, enabling the malware to remotely start new processes. It also leverages Server Message Block (SMB) or Windows Admin Shares for lateral movement, allowing it to spread further into local computers. Additionally, HermeticWizard scans local IP ranges for system discovery to identify potential targets within the network. The technical details of HermeticWizard, along with IsaacWiper, can be referred to in MAR-10376640.r1.v1. A hunting rule named "Hermetica Cert" has been established based on the certificate used in both HermeticWiper and HermeticWizard, providing a broad scope for detecting potential threats. The signature 3C54C9A49A8DDCA02189FE15FEA52FE24F41A86F c9EEAF78C9A12.dat Win32/GenCBL.BSP is associated with HermeticWizard, indicating its presence during system scans.