Researchers from Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, involving a previously unknown wiper identified as ‘PathWiper.’ The attack was instrumented via a legitimate endpoint administration framework, indicating that the attackers likely had access to the administrative console, which was then used to issue malicious commands and deploy PathWiper across connected endpoints.
Talos attributes this disruptive attack and the associated wiper to a Russia-nexus advanced persistent threat (APT) actor. “Our assessment is made with high confidence based on tactics, techniques and procedures (TTPs) and wiper capabilities overlapping with destructive malware previously seen targeting Ukrainian entities. The continued evolution of wiper malware variants highlights the ongoing threat to Ukrainian critical infrastructure despite the longevity of the Russia-Ukraine war,” it added.
The researchers said that “Any commands issued by the administrative tool’s console were received by its client running on the endpoints. The client then executed the command as a batch (BAT) file, with the command line partially resembling that of Impacket command executions, though such commands do not necessarily indicate the presence of Impacket in an environment.”
They added that the BAT file consisted of a command to execute a malicious VBScript file called ‘uacinstall[dot]vbs’, also pushed to the endpoint by the administrative console. Upon execution, the VBScript wrote the PathWiper executable, named ‘sha256sum[dot]exe’, to disk and executed it.
Throughout the attack, filenames and actions used were intended to mimic those deployed by the administrative utility’s console, indicating that the attackers had prior knowledge of the console and possibly its functionality within the victim enterprise’s environment.
“PathWiper’s mechanisms are somewhat semantically similar to another wiper family, HermeticWiper, previously seen targeting Ukrainian entities in 2022,” the researchers highlighted. “HermeticWiper, also known as FoxBlade or NEARMISS, is attributed to Russia’s Sandworm group in third-party reporting with medium to high confidence. Both wipers attempt to corrupt the master boot record (MBR) and NTFS-related artifacts.”
On execution, the researchers found that PathWiper replaces the contents of artifacts related to the file system with random data generated on the fly. It first gathers a list of connected storage media on the endpoint, including physical drive names, volume names, and paths, and network shared and unshared (removed) drive paths. Although most storage devices and volumes are discovered programmatically (via APIs), the wiper also queries to obtain the path of shared network drives for destruction.
“Once all the storage media information has been collected, PathWiper creates one thread per drive and volume for every path recorded and overwrites artifacts with randomly generated bytes,” the post added. “The wiper reads multiple file systems attributes, such as the following from New Technology File System (NTFS).”
PathWiper then overwrites the contents/data related to these artifacts directly on disk with random data, including MBR, $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef.
Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized bytes.
Talos researchers said that a significant difference between HermeticWiper and PathWiper is the corruption mechanisms used against recorded drives and volumes. “PathWiper programmatically identifies all connected (including dismounted) drives and volumes on the system, identifies volume labels for verification and documents valid records. This differs from HermeticWiper’s simple process of enumerating physical drives from 0 to 100 and attempting to corrupt them,” they added.
In March, Talos researchers detailed multiple cyber espionage campaigns that target various sectors, including government, manufacturing, telecommunications, and media, delivering Sagerunex and other hacking tools for post-compromise activities. Talos attributes these attacks to the threat actor, Lotus Blossom, which has been conducting cyber espionage operations since at least 2012 and remains active today. It confidently assesses that Lotus Blossom, also known as Spring Dragon, Billbug, or Thrip, is responsible for these campaigns.
