PathWiper Malware
A new strain of destructive malware, dubbed PathWiper, has been identified in targeted cyberattacks aimed at critical infrastructure in Ukraine. Its primary objective is clear: to disrupt and cripple operational capabilities within the country.
Table of Contents
Stealthy Deployment via Legitimate Tools
Attackers deployed the PathWiper payload using a legitimate endpoint administration tool. This method of delivery suggests that the threat actors had already achieved administrative access to the targeted systems through a prior compromise, highlighting the sophistication and planning behind the attack.
Attribution: A Familiar Adversary Returns
Cybersecurity researchers investigating the incident have attributed the attack with high confidence to a Russia-linked advanced persistent threat (APT). The tactics, techniques, and procedures (TTPs) observed closely resemble those of Sandworm, a known threat group previously responsible for deploying HermeticWiper in Ukraine.
PathWiper: A Likely Successor to HermeticWiper
PathWiper shares significant similarities with HermeticWiper, suggesting that it may be an evolution of that earlier malware. Both aim to inflict maximum damage by corrupting critical system data, and the overlap in behavior implies the involvement of the same or closely related threat clusters.
A Multi-Stage Attack Chain
The malware executes through a multi-stage process:
- A Windows batch file triggers a malicious VBScript (uacinstall.vbs).
- The script drops and executes the core payload (sha256sum.exe), disguised to resemble a legitimate administrative tool to evade detection.
Advanced Drive Enumeration and Volume Sabotage
Unlike HermeticWiper, which focused on enumerating physical drives, PathWiper goes a step further by programmatically identifying all connected drives, including local, network, and dismounted volumes. It then leverages Windows APIs to dismount these volumes in preparation for sabotage.
The malware spawns threads for each volume to overwrite essential NTFS structures, effectively rendering systems inoperable.
Targeted Destruction of Core System Files
Among the system components PathWiper corrupts are:
- MBR (Master Boot Record): Contains bootloader and partition table.
- $MFT (Master File Table): Maintains the index of all files and directories.
- $LogFile: Tracks changes for integrity and recovery.
- $Boot: Stores boot sector and filesystem information.
Additionally, five other critical NTFS metadata files are overwritten with random bytes, further ensuring that the affected systems cannot be recovered.
No Ransom, No Demands - Only Destruction
Notably, the attacks involving PathWiper do not include any form of extortion or ransom demand. This absence confirms the primary objective: total disruption of operations, rather than financial gain.
Wipers: A Recurring Tool in Hybrid Warfare
Since the onset of the war in Ukraine, data wipers have become a hallmark of Russian cyber operations. These tools have been deployed in multiple campaigns with devastating effect. Other notable wipers used in detected attack campaigns include: CaddyWiper, HermeticWiper, IsaacWiper, AcidRain, and more.
Each of these has played a role in a broader strategy of destabilizing Ukrainian infrastructure through cyberwarfare.
Conclusion: PathWiper Marks a Dangerous Evolution
PathWiper exemplifies the ongoing escalation in destructive cyber tools used against Ukraine. With advanced evasion techniques, deep system-level sabotage, and attribution pointing to known Russian APTs, it represents a significant threat in the landscape of modern cyber conflict.
