OVERVIEW
The WhisperGate malware variant was first identified by the MSTIC (Microsoft Threat Intelligence center) on January 13, 2022 and has attributed to the nation-state threat group given the name “DEV-0586” (temporary name given by MS until origin/identity is received). The variant has been observed as a Wiper, disguised as ransomware – similar to the NotPetya attack in 2017. Seen in both variants, a ransom demand is displayed upon boot but is deceptive, as the malware wipes data files rather than encrypting them like typical ransomware does. Techniques include overwriting of Master Boot Records and malware being pulled and executed in memory to corrupt files in targeted directories and file extensions. The intent is destruction rather than using the data as leverage.
TARGETING
WhisperGate, as of January 2022, has been observed being used by one or more actors in an active campaign targeting Ukrainian government and related organizations.
DELIVERY
WhisperGate’s method of delivery has not been confirmed as of January 2022, but it is suspected to be an exploit of a public service. Stage 1 and Stage 2 have been observed to be delivered in separate binaries – while Stage 3 has been observed to be downloaded via the Stage 2 downloader, and from an APT hosted discord server.
INSTALLATION
WhisperGate has been observed containing three stages. The first stage contains the overwriting of the Master Boot records of the victim’s machine. This cripples the computer after reboot or shutdown/startup. The second stage is the execution of a downloader, which creates an HTTP connection to a malicious Discord content delivery network and then pulls the Stage 3 malware (which is then subsequently executed in memory). The stage 3 malware then combs through the computer for specific directories and file extensions, and corrupts them by overwriting the contents of the files.
PERSISTENCE
Persistence is achieved through the observed overwriting of the Master Boot Record during the variant’s first stage.
Threat Update – 25 Jan 2022
Cyborg Security has published additional hunt packages, as well as updated a
hunt package already available in the Hunter platform, as a result of additional
analysis and research of the WhisperGate attack. These new packages work to
identify techniques employed by WhisperGate specifically, as well as broader
techniques employed by multiple malware variants. Each of the packages help to
identify a portion of the attack chain observed by the stage 2 and stage 3 binaries
utilized in the WhisperGate attack against the Ukrainian government in January 2022.
Threat Update – 18 Jan 2022
Threat Summary
The WhisperGate malware variant was first identified by the MSTIC (Microsoft Threat Intelligence center) on January 13, 2022 and has attributed to the nation-state threat group given the name \”DEV-0586\” (temporary name given by MS until origin/identity is received).
This threat group has been observed conducting operations on Ukrainian government and organizations, during the geopolitical tensions between Ukraine and Russia. Specific Intent and targets was not identified in the MSTIC article but due to the political climate, systems within or associated to Ukraine should be prepared accordingly – as of today, there has been dozens of impacted systems identified and potentially growing that fall under that umbrella.
The variant has been observed as a Wiper, disguised as ransomware – similar to the NotPetya attack in 2017. Seen in both variants, a ransom demand is displayed upon boot but is deceptive, as the malware wipes data files rather than encrypting them like typical ransomware does. The intent is destruction rather than using the data as leverage. Although currently targeting Ukraine, the potentiality of this malware or a modified version of it or its techniques being utilized by another threat group is possible.
Threat Synopsis
The WhisperGate malware variant was discovered targeting Ukraine government and organizations in early January by the MSTIC, and identified as a form of Wiper malware that is masquerading as ransomware. With that being said, although the variant is designed to be ransomware, there is no intention of allowing the recovery of the data that is affected. This reveals that the intent of the actor is seeking damage, rather than leverage with infections.
The malware has been observed to have two stages, the first is the overwriting of the Master Boot Records – this is where the fake ransom note is revealed as well to the victim. Due to the Master Boot Record being corrupted/overwritten, the recovery of the system if the user decides to potentially reboot or shutdown/startup. The MSTIC report mentions that the ransom note is unusual in the way it is crafted as well, with the irregularities including the same explicit payment amounts and wallet addresses being specified for each note and the absence of a custom ID that a victim is usually told to reference in communications.
The second stage that has been observed is the execution of a downloader (identified as Stage2.exe), that pulls the next stage malware and executes in memory. The malware then sprawls and corrupts files in specified directories on the system with specific file extensions (the specific extensions can be found in the MSTIC report). The corruption entails the overwriting of the contents of the file and renaming them with a random extension.