Home / Industry

HermeticWiper: Another Threat Targeting Ukraine at Large

HermeticWiper, also known as “IsaacWiper” or “Sandworm,” which wipes the data on computers, rendering them useless, has reportedly affected hundreds of Ukrainian users since it surfaced. While a few cybersecurity specialists have publicized indicators of compromise (IoCs) related to the ongoing campaigns, we found more connected web properties that users may need to steer clear of to avoid becoming the next victims. These include:

  • 221 domains that shared the IP hosts of the domains identified as threat IoCs
  • Seven unredacted domain registrant email addresses that led to the discovery of 12,292 possibly connected domains
  • 14 of the recently uncovered domains dubbed “dangerous” by various malware engines

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

What Currently Available Public Sources Say

We scoured the Web for HermeticWiper IoCs and found 26 IP addresses identified by AlienVault and IBM X-Force Exchange. All except for one IP address (in bold below) looked to be a dedicated IP host. These are:

  • 96[.]80[.]68[.]193
  • 93[.]51[.]177[.]66
  • 90[.]63[.]245[.]175
  • 81[.]4[.]177[.]118
  • 80[.]155[.]38[.]210
  • 80[.]153[.]75[.]103
  • 80[.]15[.]113[.]188
  • 78[.]134[.]89[.]167
  • 70[.]62[.]153[.]174
  • 50[.]255[.]126[.]65
  • 37[.]99[.]163[.]162
  • 37[.]71[.]147[.]186
  • 24[.]199[.]247[.]222
  • 217[.]57[.]80[.]18
  • 212[.]234[.]179[.]113
  • 212[.]202[.]147[.]10
  • 212[.]103[.]208[.]182
  • 208[.]81[.]37[.]50
  • 2[.]230[.]110[.]137
  • 188[.]152[.]254[.]170
  • 185[.]82[.]169[.]99
  • 151[.]0[.]169[.]250
  • 109[.]192[.]30[.]125
  • 105[.]159[.]248[.]137
  • 100[.]43[.]220[.]234
  • 192[.]168[.]3[.]13

What Our Deep Dive Found

We began our in-depth investigation by subjecting the IP address IoCs to reverse IP API lookups. That led to the discovery of 221 domains that resolved to the malicious IP addresses. These include:

  • access[.]sueport[.]nl
  • changqing[.]host
  • devico[.]com[.]hk
  • huuworks[.]com
  • kelvinclouds[.]xyz

Next, we looked at the domains’ WHOIS records and uncovered seven unredacted registrant email addresses. We used these as reverse WHOIS search terms, which gave us an additional 12,293 possibly connected domains. Note that 10,000 of these resolved to the sole shared IP address IoC—192[.]168[.]3[.]13. Examples include:

  • clipzip[.]fr
  • g-technology[.]ca
  • hgst[.]com
  • mycloud[.]com
  • remotewd[.]com
  • sandisk-jp[.]com
  • usbav[.]com
  • wdc[.]com
  • xkey[.]com
  • zephyrhq[.]com

Note that most if not all of them belong to legitimate organizations. And though none was tagged “malicious,” the fact that they shared an IP address identified as a HermeticWiper IoC should make them worthy of monitoring at least.

Finally, we subjected all of the domains we found to a bulk malware check on Threat Intelligence Platform (TIP) and found that 13 were dubbed “dangerous” by various malware engines. These are:

  • aiphonemarketing[.]com
  • audio-iwasaki[.]com
  • auodsmdsnisnic[.]com
  • auomdsnisnanbco[.]net
  • harrods-hair[.]com
  • kyoeikougyo[.]com
  • login-rakuten[.]jp
  • mamitaiyo[.]com
  • netflixhamaru[.]com
  • sasadastone[.]com
  • soba-sadashichi[.]com
  • stl-n[.]com
  • syuriya[.]com

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign