The Splunk Threat Research Team is actively monitoring the emergence of new threats in the cyber domain of ongoing geopolitical events. As we have shown previously in several releases, including HermeticWiper and CaddyWiper, actors in this campaign are deploying, updating, and modifying stealthier malicious payloads. On March 17th, 2022, the Ukraine CERT discovered a new malicious payload named DoubleZero Destructor (CERT-UA #4243).

Do you feel like every other cybersecurity news story mentioned ransomware in 2021? Does it feel like you can’t turn on a cybersecurity podcast and not hear the “R” word? We feel the same way, and as a cybersecurity vendor, we felt that we should also contribute to the noise. :-) But we did want to try and do something different.

As stated in our previous threat advisory STRT-TA02 in regards to destructive software, past historical data suggests that for malicious actors to succeed in long-standing campaigns they must improve and add new ways of making their payloads stealthier, resistant, and damaging. HermeticWiper introduces some unique features, applying destructive actions on compromised hosts.

Like most of us around the world, I’ve been shocked by the current situation in Ukraine. I’m saddened by the images of families being torn apart and fleeing their homes. This brings to mind the story of my own grandmother, who had to leave her native country of Austria, with nothing more than a small bag and my infant mother in her arms.