S0689 WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.123
| Item | Value |
|---|---|
| ID | S0689 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 10 March 2022 |
| Last Modified | 05 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | - |
| enterprise | T1134.002 | Create Process with Token | The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via %TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run.4 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | WhisperGate can make an HTTPS connection to download additional files.26 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.246 |
| enterprise | T1059.003 | Windows Command Shell | WhisperGate can use cmd.exe to execute commands.2 |
| enterprise | T1059.005 | Visual Basic | WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.24 |
| enterprise | T1485 | Data Destruction | WhisperGate can corrupt files by overwriting the first 1 MB with 0xcc and appending random extensions.371246 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.46 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | WhisperGate can overwrite sectors of a victim host’s hard drive at periodic offsets.746 |
| enterprise | T1561.002 | Disk Structure Wipe | WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.371246 |
| enterprise | T1083 | File and Directory Discovery | WhisperGate can locate files based on hardcoded file extensions.3246 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.246 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | WhisperGate can delete tools from a compromised host after execution.4 |
| enterprise | T1105 | Ingress Tool Transfer | WhisperGate can download additional stages of malware from a Discord CDN channel.3246 |
| enterprise | T1036 | Masquerading | WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.6 |
| enterprise | T1106 | Native API | WhisperGate has used the ExitWindowsEx to flush file buffers to disk and stop running processes and other API calls.45 |
| enterprise | T1135 | Network Share Discovery | WhisperGate can enumerate connected remote logical drives.4 |
| enterprise | T1027 | Obfuscated Files or Information | WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.465 |
| enterprise | T1542 | Pre-OS Boot | - |
| enterprise | T1542.003 | Bootkit | WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.71346 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.012 | Process Hollowing | WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility InstallUtil.exe.45 |
| enterprise | T1620 | Reflective Code Loading | WhisperGate‘s downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.5 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | WhisperGate can recognize the presence of monitoring tools on a target system.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.004 | InstallUtil | WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.2 |
| enterprise | T1082 | System Information Discovery | WhisperGate has the ability to enumerate fixed logical drives on a targeted system.4 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | WhisperGate can download and execute AdvancedRun.exe via sc.exe.62 |
| enterprise | T1529 | System Shutdown/Reboot | WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.4 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.2 |
| enterprise | T1497.003 | Time Based Evasion | WhisperGate can pause for 20 seconds to bypass antivirus solutions.65 |
| enterprise | T1102 | Web Service | WhisperGate can download additional payloads hosted on a Discord channel.72346 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1003 | Ember Bear | 89 |
References
-
Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022. ↩↩↩↩
-
Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022. ↩↩↩↩↩↩↩
-
Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved March 31, 2023. ↩↩↩↩↩
-
S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022. ↩↩↩↩↩
-
CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022. ↩
-
Sadowski, J; Hall, R. (2022, March 4). Responses to Russia’s Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022. ↩