A sophisticated cyber attack campaign has emerged targeting Ukraine’s critical infrastructure, utilizing a previously unknown destructive malware variant that researchers have designated “PathWiper.”
This latest threat represents a significant escalation in the ongoing cyber warfare landscape, demonstrating advanced capabilities designed to cause maximum disruption to essential services and systems across the embattled nation.
The malware campaign exploits legitimate endpoint administration frameworks to gain initial access and deploy its destructive payload across connected systems within targeted organizations.
Unlike conventional malware that seeks to maintain persistence or steal data, PathWiper functions as a wiper – a particularly destructive class of malware designed to permanently destroy data and render systems inoperable by overwriting critical file system components with randomized data.
Cisco Talos analysts identified this destructive attack during their investigation of a compromised critical infrastructure entity within Ukraine, attributing the campaign to a Russia-nexus advanced persistent threat actor with high confidence.
The attribution assessment relies on overlapping tactics, techniques, and procedures observed in previous destructive campaigns targeting Ukrainian entities, as well as similarities in wiper capabilities previously deployed against the country’s infrastructure.
The continued emergence of sophisticated wiper variants like PathWiper underscores the persistent and evolving threat landscape facing Ukraine’s critical infrastructure, even as the conflict with Russia extends into its fourth year.
This latest discovery highlights how threat actors continue refining their destructive capabilities, adapting their methodologies to maximize impact against essential services that civilian populations depend upon.
Infection Mechanism and Deployment Strategy
PathWiper’s deployment methodology reveals a carefully orchestrated attack chain that leverages compromised administrative access to maximize distribution efficiency across target networks.
The initial compromise appears to center on gaining unauthorized access to legitimate endpoint administration consoles, which threat actors then exploit to issue malicious commands across all connected endpoints within the victim environment.
The attack progression begins when compromised administrative tools execute batch files containing VBScript commands designed to mimic legitimate administrative operations.
Specifically, the malicious command C:WINDOWSSystem32WScript.exe C:WINDOWSTEMPuacinstall.vbs initiates the deployment sequence, followed by the execution of the PathWiper executable disguised as C:WINDOWSTEMPsha256sum.exe.
This naming convention deliberately mimics common system utilities, suggesting the attackers possessed detailed knowledge of the target environment’s administrative processes and standard operational procedures.
The malware’s sophisticated approach to file system destruction involves programmatically identifying all connected storage media, including physical drives, network shares, and removable devices before launching parallel threads to maximize destruction efficiency.
PathWiper specifically targets critical NTFS file system artifacts including the Master Boot Record, Master File Table, and various system logs, ensuring comprehensive data destruction that renders affected systems completely inoperable.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
Source: cybersecuritynews.com
