New pathWiper Malware Strikes Critical Infrastructure with Admin Tool Deployment

A previously unseen wiper malware dubbed “PathWiper” has been detected targeting Ukrainian critical infrastructure, Cisco Talos revealed this week.

The attackers leveraged a legitimate endpoint administration framework typically used for remote IT support turning it into a devastating weapon to unleash destructive malware across the network.

This operation underscores the advanced capabilities and persistence of Russia nexus APT actors amid ongoing cyber warfare in Eastern Europe.

The attackers’ approach was both strategic and deeply invasive. By compromising the administration console of the victim organization, threat actors gained the ability to centrally dispatch malicious commands to all connected endpoints.

Commands executed via the admin tool’s console were received by client software present on target machines, which then ran the instructions as batch (BAT) files.

The deployment mechanism exhibited similarities to Impacket’s command-line operations, although no direct evidence of Impacket was found.

Key Deployment Chain:

text1. Admin console issues BAT file command to endpoint
2. BAT file executes a dropped malicious VBScript ('uacinstall.vbs'):
   C:\WINDOWS\System32\WScript.exe C:\WINDOWS\TEMP\uacinstall.vbs
3. VBScript writes and launches wiper payload ('sha256sum.exe'):
   C:\WINDOWS\TEMP\sha256sum.exe

Filenames and execution paths were deliberately crafted to mimic legitimate admin tool activity, suggesting the attackers had intimate knowledge of the software and its deployment processes.

Technical Breakdown and Comparison

Once launched, PathWiper’s destructive function kicks in with chilling efficiency. It systematically corrupts the file system and storage-related structures by overwriting them with randomly generated data effectively destroying files, metadata, and crucial system records.

Technical Workflow:

1. Reconnaissance: PathWiper enumerates all connected storage media, including:
   • Physical drives
   • Volume names and paths
   • Both network-shared and removable drives
2. Network Drive Enumeration: The wiper queries the Windows Registry (HKEY_USERS\Network\<drive_letter>| RemovePath) to identify shared network drives for targeted destruction.
3. Parallel Destruction: For every storage path located, PathWiper spawns a dedicated thread that proceeds to overwrite artifacts directly on disk.

Targeted NTFS Artifacts:

• Master Boot Record (MBR)
• $MFT (Master File Table)
• $MFTMirr (MFT Mirror)
• $LogFile
• $Boot, $Bitmap, $TxfLog, $Tops, $AttrDef

Dismount and Overwrite:

• Prior to destruction, PathWiper attempts to dismount affected volumes using the command:textFSCTL_DISMOUNT_VOLUME IOCTL (to MountPointManager)
• It then overwrites both system artifacts and standard files with random bytes, ensuring almost no chance of recovery.

Comparison with HermeticWiper:

• While both PathWiper and the infamous HermeticWiper (a Sandworm-linked tool seen in 2022) attack critical disk structures, PathWiper displays greater sophistication in drive and volume enumeration, validating and cataloging storage more accurately before destruction.
• HermeticWiper simply tries to corrupt up to 100 physical drives indiscriminately; PathWiper leverages Windows APIs and registry information for precision targeting.

Defenses and Indicators of Compromise

Detection and Prevention:
Cisco strongly recommends deploying its Secure Endpoint, Email, Firewall, and other security solutions to detect, block, and remediate PathWiper infections:

• Cisco Secure Endpoint: Blocks wiper execution
• Cisco Secure Email & Web Appliance: Prevents malicious email and site access
• Cisco Secure Firewall & Network Analytics: Monitors and alerts on suspicious network behaviors
• Duo MFA: Restricts access to only verified users

Snort Detection Rules:

• Snort 2: 64742, 64743
• Snort 3: 301174

Indicator of Compromise (SHA-256):

text7C792A2B005B240D30A6E22EF98B991744856F9AB55C74DF220F32FE0D00B6B3

The appearance of PathWiper signals a persistent and evolving threat to Ukraine’s digital backbone. Its tailored attack chain, abuse of legitimate admin tools, and destructive payload highlight the critical need for defense-in-depth strategies and continuous monitoring of all privileged access, especially in high-value environments.