NewlyCisco Talos researchers who discovered the attack attributed it with high confidence to a Russia-linked advanced persistent threat (APT).
identified wiper malware “PathWiper” targets critical infrastructure in Ukraine
New PathWiper data wiper malware hits critical infrastructure in Ukraine
The researchers compare PathWiper to HermeticWiper, previously deployed in Ukraine by the 'Sandworm' threat group, which had similar functionality.
Hence, PathWiper may be an evolution of HermeticWiper, used in attacks by the same or overlapping threat clusters.
PathWiper's destructive capabilities
PathWiper executes on target systems via a Windows batch file that launches a malicious VBScript (uacinstall.vbs), that in turn drops and executes the primary payload (sha256sum.exe) [VirusTotal].
The execution mimics the behavior and names associated with a legitimate admin tool to evade detection.
Instead of simply enumerating physical drives like HermeticWiper, PathWiper programmatically identifies all connected drives (local, network, dismounted) on the system.
Next, it abuses Windows APIs to dismount volumes to prepare them for corruption and then creates threads for each volume to overwrite critical NTFS structures.
Among the targeted system files in the root directory of the NTFS are:
- MBR (Master Boot Record): The first sector of a physical disk holding the bootloader and partition table.
- $MFT (Master File Table): Core NTFS system file that catalogs all files and directories, including their metadata and locations on the disk.
- $LogFile: Journal is used for NTFS transaction logging, tracking file changes, and helping with integrity checking and recovery.
- $Boot: File containing boot sector and filesystem layout information.
PathWiper overwrites the above and another five critical NTFS files with random bytes, rendering impacted systems completely inoperable.
The observed attacks do not involve extortion or any form of financial demands, so their sole aim is destruction and operational disruption.
Cisco Talos published file hashes and snort rules to help detect the threat and stop it before it corrupts the drives.
Data wipers have become a powerful tool in attacks on Ukraine since the war began, with Russian threat actors commonly using them to disrupt critical operations in the country.
This includes wipers named DoubleZero, CaddyWiper, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain.
![ioc[.]one - OSINT Cyber Threat Intelligence Archive](https://ioc.one/media/cover_images/afe46154-d707-4ca0-a829-7a6a9fe2d4b8.png)
-
New Mirai botnet infect TBK DVR devices via command injection flaw
A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.
- June 08, 2025
- 10:17 AM
0
-
This AI tool suite is yours for the one-time payment of $99.99 in this deal
The 1min.AI platform is an AI game changer. And right now, for a one-time payment of just $99.99 (reg. $540), you get lifetime access to an all-in-one AI suite that does all of the above (and then some), using the latest and greatest AI models on the market.
- June 08, 2025
- 08:06 AM
- 0
-
Playbook: Getting Started with DevSecOps
Embedding security into your DevOps and development processes isn't just a nice-to-have anymore it's essential for building secure applications and infrastructure for the cloud.
Download this playbook now for practical, field-tested approaches to to plan and implement a DevSecOps program that can align your security and development teams to improve code security.
-
Malware found in NPM packages with 1 million weekly downloads
A significant supply chain attack hit NPM after 15 popular Gluestack packages with over 950,000 weekly downloads were compromised to include malicious code that acts as a remote access trojan (RAT).
- June 07, 2025
- 03:31 PM
- 0
-
Malicious npm packages posing as utilities delete project directories
Two malicious packages have been discovered in the npm JavaScript package index, which masquerades as useful utilities but, in reality, are destructive data wipers that delete entire application directories.
- June 07, 2025
- 10:11 AM
- 0
-
You can wear these $35 TREBLAB earbuds all day in this deal
If you've ever tried jogging outside, commuting through a busy city, or just walking your dog while listening to music, you know how important it is to stay aware of your surroundings, but that doesn't mean going without music. Instead, Pick up a pair of TREBLAB X-Open Wireless Open-Ear Earbuds on sale for $34.97 while you can.
- June 07, 2025
- 08:12 AM
- 0
-
Microsoft shares script to restore inetpub folder you shouldn’t delete
Microsoft has released a PowerShell script to help restore an empty 'inetpub' folder created by the April 2025 Windows security updates if deleted. As Microsoft previously warned, this folder helps mitigate a high-severity Windows Process Activation privilege escalation vulnerability.
- June 06, 2025
- 01:28 PM
- 1
-
Tax resolution firm Optima Tax Relief hit by ransomware, data leaked
U.S. tax resolution firm Optima Tax Relief suffered a Chaos ransomware attack, with the threat actors now leaking data stolen from the company.
- June 06, 2025
- 01:14 PM
- 0
-
Kettering Health confirms Interlock ransomware behind cyberattack
Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack.
- June 06, 2025
- 11:26 AM
- 0
-
New PathWiper data wiper malware hits critical infrastructure in Ukraine
A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.
- June 06, 2025
- 10:40 AM
- 0
-
Critical Fortinet flaws now exploited in Qilin ransomware attacks
The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.
- June 06, 2025
- 09:53 AM
- 0
No comments:
Post a Comment