PathWiper: A New Data Wiper Malware Targeting Ukrainian Critical Infrastructure

By /

Listen to this Post

Featured Image
A previously unseen data wiper malware named PathWiper has been deployed against a Ukrainian critical infrastructure entity. According to Cisco Talos, the attack was executed via a legitimate endpoint administration framework, suggesting the attackers had access to the administrative console to deploy malicious commands.

How PathWiper Works

  1. Initial Access: Attackers used an administrative console to push a malicious BAT file.
  2. Execution: The BAT file ran a VBScript (uacinstall.vbs) from the Windows TEMP folder.
  3. Payload Deployment: The VBScript dropped the wiper binary (sha256sum.exe) and executed it.

4. Data Destruction:

  • Overwrites MBR, NTFS metadata ($MFT, $LogFile, $Boot, etc.) with random bytes.
  • Targets physical drives, volumes, and network shares.
  • Attempts to dismount volumes to prevent recovery.

You Should Know: Detection & Mitigation

Detecting PathWiper Activity

  • Monitor for suspicious BAT/VBS execution: 
    Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -like "uacinstall.vbs" }
  • Check for unusual processes: 
    tasklist /v | findstr "sha256sum.exe"
  • Audit administrative tool usage: 
    Get-WinEvent -LogName "Security" -FilterXPath "[System[EventID=4688]]" | Where-Object { $_.Message -like "endpoint admin tool" }

Mitigation Steps

  • Restrict administrative tool access: 
    Set-MpPreference -AttackSurfaceReductionRules_Ids "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC" -AttackSurfaceReductionRules_Actions Enabled
  • Enable Controlled Folder Access (Windows): 
    Set-MpPreference -EnableControlledFolderAccess Enabled
  • Linux-based detection (if logs are forwarded): 
    grep -r "uacinstall.vbs" /var/log/

Comparison with HermeticWiper

| Feature | PathWiper | HermeticWiper (Sandworm) |

||-|–|

| MBR Corruption | Yes | Yes |

| NTFS Targeting | $MFT, $LogFile, $Boot | Similar but different methods |
| Deployment | Admin framework abuse | Legitimate software backdoor |

What Undercode Say

PathWiper demonstrates continued Russian APT aggression against Ukraine. Defenders must:
– Monitor batch/VBS execution in critical systems.
– Segment networks to limit lateral movement.
– Backup air-gapped critical data regularly.
– Use YARA rules for detection: 

rule PathWiper {
strings:
$wiper = "sha256sum.exe" nocase
$vbs = "uacinstall.vbs" nocase
condition:
any of them
}

Expected Output

  • Detection Alerts for `sha256sum.exe` or uacinstall.vbs.
  • Log entries showing unauthorized admin tool usage.
  • Failed volume mounts indicating wiper activity.

Prediction

Russian-linked APTs will refine wipers to evade detection, possibly leveraging AI-driven obfuscation in future attacks.

Relevant URL: Cisco Talos Report on PathWiper

IT/Security Reporter URL:

Reported By: Luther Chip – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: