|Access Token Manipulation
|Create Process with Token
|The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via
%TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run.
|Application Layer Protocol
|WhisperGate can make an HTTPS connection to download additional files.
|Command and Scripting Interpreter
|WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.
|Windows Command Shell
|WhisperGate can use
cmd.exe to execute commands.
|WhisperGate can use a Visual Basic script to exclude the
C:\ drive from Windows Defender.
|WhisperGate can corrupt files by overwriting the first 1 MB with
0xcc and appending random extensions.
|Deobfuscate/Decode Files or Information
|WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.
|Disk Content Wipe
|WhisperGate can overwrite sectors of a victim host’s hard drive at periodic offsets.
|Disk Structure Wipe
|WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.
|File and Directory Discovery
|WhisperGate can locate files based on hardcoded file extensions.
|Disable or Modify Tools
|WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.
|WhisperGate can delete tools from a compromised host after execution.
|Ingress Tool Transfer
|WhisperGate can download additional stages of malware from a Discord CDN channel.
|WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.
|WhisperGate has used the
ExitWindowsEx to flush file buffers to disk and stop running processes and other API calls.
|Network Share Discovery
|WhisperGate can enumerate connected remote logical drives.
|Obfuscated Files or Information
|WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.
|WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.
|WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility
|Reflective Code Loading
|WhisperGate‘s downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.
|Security Software Discovery
|WhisperGate can recognize the presence of monitoring tools on a target system.
|System Binary Proxy Execution
|WhisperGate has used
InstallUtil.exe as part of its process to disable Windows Defender.
|System Information Discovery
|WhisperGate has the ability to enumerate fixed logical drives on a targeted system.
|WhisperGate can download and execute AdvancedRun.exe via
|WhisperGate can shutdown a compromised host through execution of
ExitWindowsEx with the
|WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.
|Time Based Evasion
|WhisperGate can pause for 20 seconds to bypass antivirus solutions.
|WhisperGate can download additional payloads hosted on a Discord channel.