HermeticWiper, also known as “IsaacWiper” or “Sandworm,” which wipes the data on computers, rendering them useless, has reportedly affected hundreds of Ukrainian users since it surfaced. While a few cybersecurity specialists have publicized indicators of compromise (IoCs) related to the ongoing campaigns, we found more connected web properties that users may need to steer clear of to avoid becoming the next victims. These include:

• 221 domains that shared the IP hosts of the domains identified as threat IoCs
• Seven unredacted domain registrant email addresses that led to the discovery of 12,292 possibly connected domains
• 14 of the recently uncovered domains dubbed “dangerous” by various malware engines

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

What Currently Available Public Sources Say

We scoured the Web for HermeticWiper IoCs and found 26 IP addresses identified by AlienVault and IBM X-Force Exchange. All except for one IP address (in bold below) looked to be a dedicated IP host. These are:

• 96[.]80[.]68[.]193
• 93[.]51[.]177[.]66
• 90[.]63[.]245[.]175
• 81[.]4[.]177[.]118
• 80[.]155[.]38[.]210
• 80[.]153[.]75[.]103
• 80[.]15[.]113[.]188
• 78[.]134[.]89[.]167
• 70[.]62[.]153[.]174
• 50[.]255[.]126[.]65
• 37[.]99[.]163[.]162
• 37[.]71[.]147[.]186
• 24[.]199[.]247[.]222
• 217[.]57[.]80[.]18
• 212[.]234[.]179[.]113
• 212[.]202[.]147[.]10
• 212[.]103[.]208[.]182
• 208[.]81[.]37[.]50
• 2[.]230[.]110[.]137
• 188[.]152[.]254[.]170
• 185[.]82[.]169[.]99
• 151[.]0[.]169[.]250
• 109[.]192[.]30[.]125
• 105[.]159[.]248[.]137
• 100[.]43[.]220[.]234
• 192[.]168[.]3[.]13

What Our Deep Dive Found

We began our in-depth investigation by subjecting the IP address IoCs to reverse IP API lookups. That led to the discovery of 221 domains that resolved to the malicious IP addresses. These include:

• access[.]sueport[.]nl
• changqing[.]host
• devico[.]com[.]hk
• huuworks[.]com
• kelvinclouds[.]xyz

Next, we looked at the domains’ WHOIS records and uncovered seven unredacted registrant email addresses. We used these as reverse WHOIS search terms, which gave us an additional 12,293 possibly connected domains. Note that 10,000 of these resolved to the sole shared IP address IoC—192[.]168[.]3[.]13. Examples include:

• clipzip[.]fr
• g-technology[.]ca
• hgst[.]com
• mycloud[.]com
• remotewd[.]com
• sandisk-jp[.]com
• usbav[.]com
• wdc[.]com
• xkey[.]com
• zephyrhq[.]com

Note that most if not all of them belong to legitimate organizations. And though none was tagged “malicious,” the fact that they shared an IP address identified as a HermeticWiper IoC should make them worthy of monitoring at least.

Finally, we subjected all of the domains we found to a bulk malware check on Threat Intelligence Platform (TIP) and found that 13 were dubbed “dangerous” by various malware engines. These are:

• aiphonemarketing[.]com
• audio-iwasaki[.]com
• auodsmdsnisnic[.]com
• auomdsnisnanbco[.]net
• harrods-hair[.]com
• kyoeikougyo[.]com
• login-rakuten[.]jp
• mamitaiyo[.]com
• netflixhamaru[.]com
• sasadastone[.]com
• soba-sadashichi[.]com
• stl-n[.]com
• syuriya[.]com

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.