• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Cybersecurity Threat Spotlight

HermeticWiper, SDUser, and Xenomorph

Author avatar of Artsiom HolubArtsiom Holub
Updated — June 8, 2023 • 4 minute read
View blog >

This has been a busy month for cyber attackers, and the Cisco Umbrella team – in conjunction with Cisco Talos – has observed several new threats for users to be aware of.

In this month’s edition of the Cybersecurity Threat Spotlight, we discuss a wiper making its way through Ukraine, a dropper targeting India and China, and a newly discovered Trojan targeting EU banks.

Want to see Cisco Umbrella in action? Sign up for a free trial today!


HermeticWiper

Threat Type: Wiper

Attack Chain:

Graphic showing the attack chain for HermeticWiper. The attack chain proceeds as follows: stolen credentials, network access, direct wiper deployment, data destruction. The graphic indicates that Cisco Secure protects users from stolen credentials and data destruction.

Description: HermeticWiper is a data destructing malware observed in attacks targeting Ukraine. This wiper comes as a small executable with a valid digital signature issued to “Hermetica Digital Ltd.” The malware leverages embedded resources to interact with storage devices present on infected systems. The applicable embedded driver is extracted, loaded into the wiper’s process memory space, decompressed, and written to the disk before the wipe process. The wiper disables the generation of crash dumps and corrupts the first 512 bytes to destroy the MBR of physical drives. For partitions, it disables the Volume Shadow Copy Service and uses different destructive mechanisms on the partitions depending on whether they’re FAT type or NTFS type. The wiper also attempts to corrupt housekeeping files. During the final stage, HermeticWiper waits for all sleeping threads to complete and initiates a reboot to ensure the success of the wiping activity.

HermeticWiper Spotlight: Cisco Talos has become aware of a series of wiper attacks going on inside Ukraine. One of the wipers used in these attacks has been dubbed “HermeticWiper.” Deployment of this destructive malware began on February 23, 2022. The malware has two components designed for destruction: one targeting the Master Boot Record (MBR) and another targeting partitions.

Target Geolocations: Ukraine
Target Data: Physical Drivers, Partitions
Target Businesses: Government Sector
Exploits: N/A

Mitre ATT&CK for HermeticWiper

Initial Access:
Valid Accounts

Discovery:
System Information Discovery
File and Directory Discovery

Persistence:
Create or Modify System Process: Windows Service

Execution:
Native API

Evasion:
Modify Registry

Impact:
Disk Wipe: Disk Structure Wipe
Inhibit System Recovery
Service Stop
System Shutdown/Reboot

Privilege Escalation:
Access Token Manipulation

IOCs1

Hashes:
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767

Additional Information
Threat Advisory: Hermetic Wiper

Which Cisco Secure Products Can Block
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella


SDUser

Threat Type: Dropper

Attack Chain:

A graphic showing the attack chain of SDUser, which is as follows: malspam to download weaponized document to malicious macros to SDUser payload to follow-up malware. The graphic indicates that Cisco Secure products protect users from downloading weaponized documents and follow-up malware.

Description: SDUser is a VBA-based dropper that is used by Advanced Persistent Threat (APT) groups. The functionality of the payload includes command and control protocol, anti-sandboxing techniques, and a reverse shell mechanism.

SDUser Spotlight: In June 2021, Cisco Talos researchers discovered a malicious Excel spreadsheet that attempted to drop a previously unknown RAT. A month later, they discovered another closely related spreadsheet. These samples were internally referred to as “SDUser” sampled due to the specific PDB string left in the binary payload.

More recent analysis shows similar code being used by two different APT groups: Transparent Tribe, which targets organizations in India, and Donut, which targets organizations in Pakistan and China. These two different threat actors may use code from the same source in their attacks, which means that their attacks would display similarities despite being conducted by different groups. Code reuse, adopting techniques from successful attacks, and deliberate integration of evidence designed to fool analysts can disguise the true perpetrator and lead to these attacks being attributed to different groups.

Target Geolocations: Pakistan, China
Target Data: User Credentials, Browser Data, Sensitive Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for SDUser

Initial Access:
Phishing: Spearphishing Attachment

Discovery:
Peripheral Device Discovery
Query Registry

Execution:
Command and Scripting Interpreter

Evasion:
Obfuscated Files or Information
Virtualization/Sandbox Evasion: System Checks

Command and Control:
Application Layer Protocol
Web Service

IOCs1

Domains:
microsoft-updates[.]servehttp[.]com
microsoft-patches[.]servehttp[.]com
microsoft-docs[.]myftp[.]org

IPs:
45.153.240[.]66
46.30.188[.]222

Additional Information:
What’s with the shared VBA code between Transparent Tribe and other threat actors?

Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance


Xenomorph

Threat Type: Mobile Trojan

Attack Chain:

A graphic showing the attack chain of Xenomorph, which is as follows: Trojanized app to data logging to data exfiltration. The graphic indicates that Cisco Secure products protect against data exfiltration.

Description: Xenomorph is an Android Banking Trojan. It is capable of stealing credentials via overlay attack, and it uses SMS and notification interception to log and use potential 2FA tokens. Stolen data is sent to the C2 for further exploitation.

Xenomorph Spotlight: Xenomorph was initially discovered in February 2022. It is distributed through the official Google Play Store. It targets users of 56 different European banks and cryptocurrency wallets. Capabilities include – but are not limited to – stealing credentials, SMS and notification interception, excessive logging, and data exfiltration. The core engine is designed as a modular system and still appears to be in the development stage. Malware heavily relies on the overlay attack mechanism to steal personally identifiable information (PII) and other sensitive data. Collected data is exfiltrated to an attacker-controlled server using the open-source project RetroFit2.

Target Geolocations: EU
Target Data: User Credentials, Browser Data, Sensitive Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for Xenomorph

Initial Access:
Deliver Malicious App via Authorized App Store

Execution:
Native Code

Evasion:
Masquerading as Legitimate Application

Credential Access:
Capture SMS Messages
Input Capture

Command and Control:
Standard Application Layer Protocol

Exfiltration:
Data Encryption
Standard Application Layer Protocol

IOCs1

Domains:
simpleyo5[.]tk   
simpleyo5[.]cf   
art12sec[.]ga    
kart12sec[.]gq   
homeandofficedeal[.]com

Additional Information:
Xenomorph: A newly hatched Banking Trojan

Which Cisco Secure Products Can Block
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Start a free trial today

Block more threats, speed incident response, and improve internet performance.

Get your free trial

1 Additional IOCs can be found in the associated Talos Blog articles

Additional Resources

  • Signup for a free trial
  • On-demand Webinars: Threat Spotlight Series

Suggested Blogs

  • September’s Threats: MuddyWater, Manjusaka, and SocGholish September 20, 2022 5 minute read
  • CrimsonRat, AvosLocker & MaliBot July 28, 2022 5 minute read
  • BlackCat Ransomware, ZingoStealer & BumbleBee Loader May 24, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella