Attacks with the nascent PathWiper malware have been deployed by a Russian advanced persistent threat operation against Ukrainian critical infrastructure organizations, The Register reports.
Despite sharing similar master boot record and NTFS-related artifact corruption capabilities as the Hermetic malware leveraged in Sandworm intrusions against Ukraine three years ago, PathWiper has been updated to identify all connected system drives and volumes, as well as take over endpoint admin systems of targeted critical infrastructure entities, indicating increased sophistication, according to a Cisco Talos analysis. "Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the 'FSCTL_DISMOUNT_VOLUME IOCTL' to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized byte," said Cisco Talos researchers. Such a development comes after Russian state-backed actors were reported to have targeted Ukraine with the WhisperKill/WhisperGate, IsaccWiper, DoubleZero, CaddyWiper, and AcidRain wipers since commencing its invasion three years ago.
Despite sharing similar master boot record and NTFS-related artifact corruption capabilities as the Hermetic malware leveraged in Sandworm intrusions against Ukraine three years ago, PathWiper has been updated to identify all connected system drives and volumes, as well as take over endpoint admin systems of targeted critical infrastructure entities, indicating increased sophistication, according to a Cisco Talos analysis. "Before overwriting the contents of the artifacts, the wiper also attempts to dismount volumes using the 'FSCTL_DISMOUNT_VOLUME IOCTL' to the MountPointManager device object. PathWiper also destroys files on disk by overwriting them with randomized byte," said Cisco Talos researchers. Such a development comes after Russian state-backed actors were reported to have targeted Ukraine with the WhisperKill/WhisperGate, IsaccWiper, DoubleZero, CaddyWiper, and AcidRain wipers since commencing its invasion three years ago.