A new data wiper malware named ‘PathWiper’ is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.

The payload was deployed through a legitimate endpoint administration tool, indicating that attackers had achieved administrative access to the system through a prior compromise.

Cisco Talos researchers who discovered the attack attributed it with high confidence to a Russia-linked advanced persistent threat (APT).

The researchers compare PathWiper to HermeticWiper, previously deployed in Ukraine by the ‘Sandworm’ threat group, which had similar functionality.

Hence, PathWiper may be an evolution of HermeticWiper, used in attacks by the same or overlapping threat clusters.

PathWiper’s destructive capabilities

PathWiper executes on target systems via a Windows batch file that launches a malicious VBScript (uacinstall.vbs), that in turn drops and executes the primary payload (sha256sum.exe) [VirusTotal].

The execution mimics the behavior and names associated with a legitimate admin tool to evade detection.

Instead of simply enumerating physical drives like HermeticWiper, PathWiper programmatically identifies all connected drives (local, network, dismounted) on the system.

Next, it abuses Windows APIs to dismount volumes to prepare them for corruption and then creates threads for each volume to overwrite critical NTFS structures.

Among the targeted system files in the root directory of the NTFS are:

• MBR (Master Boot Record): The first sector of a physical disk holding the bootloader and partition table.
• $MFT (Master File Table): Core NTFS system file that catalogs all files and directories, including their metadata and locations on the disk.
• $LogFile: Journal is used for NTFS transaction logging, tracking file changes, and helping with integrity checking and recovery.
• $Boot: File containing boot sector and filesystem layout information.

PathWiper overwrites the above and another five critical NTFS files with random bytes, rendering impacted systems completely inoperable.

The observed attacks do not involve extortion or any form of financial demands, so their sole aim is destruction and operational disruption.

Cisco Talos published file hashes and snort rules to help detect the threat and stop it before it corrupts the drives.

Data wipers have become a powerful tool in attacks on Ukraine since the war began, with Russian threat actors commonly using them to disrupt critical operations in the country.

This includes wipers named DoubleZero, CaddyWiper, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain.