Search This Blog

Powered by Blogger.

Blog Archive

Labels

WhisperGate Wiper Malware Far More Dangerous Than Previous Malware

Earlier this month, WhisperGate wiper malware was employed to strike Ukrainian government websites.

 

Cybersecurity researchers with Cisco Talos have examined the WhisperGate wiper malware employed to strike Ukrainian government websites, noting similarities between the ‘WhisperGate’ and the previously seen NotPetya wiper.

According to researchers, WhisperGate has more capabilities ‘designed to inflict additional damage’ using multiple wipers to successfully target multiple modern systems. 

The first wiper attempts to eradicate the master boot record (MBR) and to block any recovery options. "Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten," the researchers explained.

However, with many modern systems now shifting to GUID Partition Tables (GPTs), this executable may not be as penetrative, therefore malicious authors have included an additional wipe in the attack chain.

In the second stage of the infection chain is a downloader that retrieves the third stage from a Discord server URL that's hard-coded in the downloader. The downloader starts by implementing a base64-encoded PowerShell command twice to make the endpoint sleep for 20 seconds. 

The restored file is a DLL and serves as the third stage of the infection chain. After restoration, it loads the third-stage DLL and attempts to retrieve all of its public methods to search for a method with the name "Ylfwdwgmpilzyaph". If the method is discovered, the downloader will execute it by calling ".Invoke(null, null)", transferring the execution flow over to the third-stage DLL. 

"The fourth-stage wiper payload is probably a contingency plan if the first-stage wiper fails to clear the endpoint," Cisco Talos says. 

The wiper seeks out fixed and remote logical drives to target in the fourth stage. Enumeration then occurs, and files are wiped in drives outside of the "%HOMEDRIVE%\Windows" directory. Files with one of 192 extensions, including .HTML, .PPT, .JPG, .RAR, .SQL, and .KEY is destroyed. 

"The wiper will overwrite the content of each file with 1MB worth of 0xCC bytes and rename them by appending each filename with a random four-byte extension. After the wiping process completes, it performs a delayed command execution using Ping to delete "InstallerUtil.exe" from the %TEMP% directory. Finally, it attempts to flush all file buffers to disk and stop all running processes (including itself) by calling ExitWindowsEx Windows API with EWX_SHUTDOWN flag," the researchers concluded.

 To mitigate risks, CISA has advised organizations to implement multi-factor authentication for remote systems, disable ports and access points that are not business-critical, and that strong controls be implemented for cloud services.
Share it:

malware

Targeted cyber attacks

Ukraine Websites