|
HermeticWiper, also known as “IsaacWiper” or “Sandworm,” which wipes the data on computers, rendering them useless, has reportedly affected hundreds of Ukrainian users since it surfaced. While a few cybersecurity specialists have publicized indicators of compromise (IoCs) related to the ongoing campaigns, we found more connected web properties that users may need to steer clear of to avoid becoming the next victims. These include:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.
We scoured the Web for HermeticWiper IoCs and found 26 IP addresses identified by AlienVault and IBM X-Force Exchange. All except for one IP address (in bold below) looked to be a dedicated IP host. These are:
We began our in-depth investigation by subjecting the IP address IoCs to reverse IP API lookups. That led to the discovery of 221 domains that resolved to the malicious IP addresses. These include:
Next, we looked at the domains’ WHOIS records and uncovered seven unredacted registrant email addresses. We used these as reverse WHOIS search terms, which gave us an additional 12,293 possibly connected domains. Note that 10,000 of these resolved to the sole shared IP address IoC—192[.]168[.]3[.]13. Examples include:
Note that most if not all of them belong to legitimate organizations. And though none was tagged “malicious,” the fact that they shared an IP address identified as a HermeticWiper IoC should make them worthy of monitoring at least.
Finally, we subjected all of the domains we found to a bulk malware check on Threat Intelligence Platform (TIP) and found that 13 were dubbed “dangerous” by various malware engines. These are:
If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix