New pathWiper Malware Targets Critical Infrastructure to Deploy Admin Tools

Cisco Talos has uncovered a sophisticated and destructive cyberattack targeting a critical infrastructure entity in Ukraine, deploying a previously unknown wiper malware dubbed “PathWiper.”

This attack, attributed with high confidence to a Russia-nexus advanced persistent threat (APT) actor, showcases the persistent and evolving threat to Ukrainian critical infrastructure amid the ongoing Russia-Ukraine conflict.

The attackers exploited a legitimate endpoint administration framework, likely gaining access to the administrative console to issue malicious commands and deploy PathWiper across connected endpoints.

This approach demonstrates a deep understanding of the victim’s environment and the administrative tools used within it, highlighting the calculated and insidious nature of the campaign.

A Destructive Attack on Ukrainian Infrastructure

The tactics, techniques, and procedures (TTPs) observed in this attack, along with the wiper’s capabilities, bear striking similarities to previous destructive malware campaigns targeting Ukrainian entities, further solidifying the attribution to Russian-aligned threat actors.

The attack’s execution relied on a multi-stage process designed to blend in with legitimate operations.

Commands issued from the compromised administrative console were received by endpoint clients and executed as batch (BAT) files, with command lines partially mimicking those of Impacket, though not necessarily indicating its presence.

These BAT files triggered a malicious VBScript named ‘uacinstall.vbs,’ which was pushed to endpoints via the console and executed using WScript.exe.

This script, in turn, deployed the PathWiper executable, disguised as ‘sha256sum.exe,’ to wreak havoc on the system.

The use of filenames and actions mimicking the administrative utility’s expected behavior suggests that the attackers possessed prior knowledge of the console’s functionality within the targeted enterprise, enabling them to operate covertly.

PathWiper’s Sophisticated Deployment

Once activated, PathWiper exhibits devastating capabilities aimed at rendering systems inoperable.

It systematically gathers information on connected storage media, including physical drive names, volume paths, and network-shared drive locations, even querying registry keys to identify removed network drive paths for destruction.

The malware spawns individual threads for each drive and volume, overwriting critical file system artifacts such as the Master Boot Record (MBR), $MFT, $LogFile, and other NTFS structures with randomly generated data.

Unlike earlier wipers like HermeticWiper, which targeted Ukrainian entities in 2022 and is linked to Russia’s Sandworm group, PathWiper employs a more refined approach by programmatically identifying and verifying connected drives rather than blindly enumerating them.

According to the Report, This precision, combined with efforts to dismount volumes using FSCTL_DISMOUNT_VOLUME IOCTL, underscores the malware’s advanced design for maximum disruption.

While sharing semantic similarities with HermeticWiper in corrupting core disk structures, PathWiper’s nuanced targeting of verified drives sets it apart as a formidable evolution in wiper malware technology.

The broader implications of this attack are alarming, as the continued development of wiper variants like PathWiper signals an unrelenting focus on crippling Ukrainian infrastructure.

Organizations in the region, and beyond, must prioritize robust endpoint security, administrative access controls, and threat monitoring to mitigate such threats.

Cisco Talos’s findings serve as a critical reminder of the high-stakes cyber warfare landscape and the urgent need for vigilance against state-sponsored APT actors.

Indicators of Compromise (IOCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here