HermeticWizard

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
HermeticWizard is a malicious software (malware) that emerged as part of a series of cyber-attacks against Ukraine since January 2022. The malware operates alongside other destructive programs such as HermeticWiper, IsaacWiper, and CaddyWiper, with additional Indicators of Compromise (IOCs) for WhisperGate identified. HermeticWizard is a custom worm used to propagate HermeticWiper within local networks, while HermeticRansom functions as decoy ransomware. This information was updated in an advisory on April 28, 2022. HermeticWizard employs several techniques to infiltrate and spread across local networks. It uses Distributed Component Object Model (DCOM) and Windows Management Instrumentation (WMI) for remote services, enabling the malware to remotely start new processes. It also leverages Server Message Block (SMB) or Windows Admin Shares for lateral movement, allowing it to spread further into local computers. Additionally, HermeticWizard scans local IP ranges for system discovery to identify potential targets within the network. The technical details of HermeticWizard, along with IsaacWiper, can be referred to in MAR-10376640.r1.v1. A hunting rule named "Hermetica Cert" has been established based on the certificate used in both HermeticWiper and HermeticWizard, providing a broad scope for detecting potential threats. The signature 3C54C9A49A8DDCA02189FE15FEA52FE24F41A86F c9EEAF78C9A12.dat Win32/GenCBL.BSP is associated with HermeticWizard, indicating its presence during system scans.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Hermetica Cert
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Worm
Lateral Move...
t1021.002
Malware
T1018
T1047
Decoy
t1021.003
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
HermeticWiperUnspecified
2
HermeticWiper is a destructive malware that was first disclosed by cybersecurity researchers on February 23, 2022. This malicious software was deployed against organizations in Ukraine, with the intent of destroying computer systems and rendering them inoperable. The malware infiltrates systems thro
WhisperGateUnspecified
1
WhisperGate is a type of malware, specifically a wiper, that was used extensively in cyberattacks against Ukrainian organizations throughout 2022. It was one of several malicious software tools deployed by Russian Advanced Persistent Threat (APT) actors, alongside others such as AwfulShred, CaddyWip
CaddyWiperUnspecified
1
CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
IsaacwiperUnspecified
1
IsaacWiper is a malicious software (malware) that has been identified as part of a series of cyberattacks against Ukraine in 2022. The malware is known to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, IsaacWiper can disru
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the HermeticWizard Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Update: Destructive Malware Targeting Organizations in Ukraine | CISA
MITRE
a year ago
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
MITRE
a year ago
CaddyWiper: New wiper malware discovered in Ukraine | WeLiveSecurity
MITRE
a year ago
IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine | WeLiveSecurity
ESET
a year ago
A year of wiper attacks in Ukraine | WeLiveSecurity