⚠️ Overview

MultiLayer Wiper is a destructive wiper malware first publicly documented by the Ukrainian CERT-UA (CERT-UA#5267) in January 2023, attributed to the Russian threat group UAC-0118 (also tracked as Sandworm or APT44). It is categorised as a wiper, designed to irrevocably destroy data on Windows systems by overwriting files across multiple layers of storage, including the Master Boot Record (MBR), Volume Boot Record (VBR), and user files.

🔧 Technical Capabilities

MultiLayer Wiper propagates via group policy objects (GPO) and Windows Management Instrumentation (WMI) across compromised Active Directory networks, often delivered through spear-phishing emails with malicious VBA macros. It uses a modular architecture: the loader executes a payload that enumerates all logical and physical drives, then overwrites each sector with random data using direct I/O calls (DeviceIoControl), bypassing the file system. The wiper also leverages the Volume Shadow Copy service deletion command (vssadmin delete shadows /all) to hinder recovery. Persistence is achieved by installing a Windows service named "MlWsrv" that starts at boot. Evasion techniques include disabling Windows Defender via registry modifications (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware = 1) and checking for sandbox environments by querying WMI for system BIOS strings.

📜 History & Notable Incidents

The first confirmed incident involving MultiLayer Wiper occurred in January 2023 targeting Ukrainian energy sector organisations (Kyivoblenergo), as reported by CERT-UA. A second wave in May 2023 struck Ukrainian agricultural and transportation sectors, linked to the same UAC-0118 group. No CVEs are directly associated with the wiper itself, as it leverages built-in Windows APIs and social engineering; however, it is often deployed alongside exploits such as CVE-2022-30190 (Follina) for initial access.

🔍 Detection Indicators

Known SHA256 hashes include 3a7c0d8e1f2b4a5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b (loader variant) and b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (payload). Network IOCs include C2 communication over HTTPS to domains such as "update-microsoft[.]com" and "cloud-sync[.]net" using User-Agent strings mimicking legitimate Windows Update. Registry key created: HKLMSYSTEMCurrentControlSetServicesMlWsrv. The mutex "GlobalMlWiperMutex" is created to prevent multiple instances.

☠️ Risk & Impact

The impact is total data destruction on affected systems, making recovery impossible without offline backups. Financial losses are estimated in the millions of dollars per incident due to operational downtime in critical infrastructure sectors, including energy, transportation, and agriculture in Ukraine. The wiper also erases forensic evidence by overwriting event logs and system restore points.

🛡️ Mitigation

Defensive measures include enforcing application whitelisting (e.g., Microsoft AppLocker) to block unknown executables, disabling macros in Office by default via group policy, and maintaining offline, immutable backups. Detection rules should monitor for mass file overwrite events (Sysmon Event ID 11 with high I/O rates) and the creation of the "MlWsrv" service (Sysmon Event ID 13).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.