Skip to content

S0689 WhisperGate

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.123

Item Value
ID S0689
Associated Names
Version 1.0
Created 10 March 2022
Last Modified 10 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols WhisperGate can make an HTTPS connection to download additional files.25
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.245
enterprise T1059.003 Windows Command Shell WhisperGate can use cmd.exe to execute commands.2
enterprise T1059.005 Visual Basic WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.24
enterprise T1485 Data Destruction WhisperGate can corrupt files by overwriting the first 1 MB with 0xcc and appending random extensions.361245
enterprise T1140 Deobfuscate/Decode Files or Information WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.45
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe WhisperGate can overwrite sectors of a victim host’s hard drive at periodic offsets.645
enterprise T1561.002 Disk Structure Wipe WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.361245
enterprise T1083 File and Directory Discovery WhisperGate can locate files based on hardcoded file extensions.3245
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools WhisperGate can download and execute AdvancedRun.exe to disable Windows Defender Theat Protection via sc.exe.245
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion WhisperGate can delete tools from a compromised host after execution.4
enterprise T1105 Ingress Tool Transfer WhisperGate can download additional stages of malware from a Discord CDN channel.3245
enterprise T1036 Masquerading WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.5
enterprise T1106 Native API WhisperGate has used the ExitWindowsEx API to flush file buffers to disk and stop running processes.4
enterprise T1027 Obfuscated Files or Information WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.45
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.61345
enterprise T1055 Process Injection WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility InstallUtil.exe.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery WhisperGate can recognize the presence of monitoring tools on a target system.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.2
enterprise T1082 System Information Discovery WhisperGate has the ability to enumerate fixed logical drives on a targeted system.4
enterprise T1049 System Network Connections Discovery WhisperGate can enumerate connected remote logical drives.4
enterprise T1529 System Shutdown/Reboot WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.4
enterprise T1078 Valid Accounts -
enterprise T1078.001 Default Accounts The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group.4
enterprise T1497 Virtualization/Sandbox Evasion WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.2
enterprise T1497.003 Time Based Evasion WhisperGate can pause for 20 seconds to bypass antivirus solutions.5
enterprise T1102 Web Service WhisperGate can download additional payloads hosted on a Discord channel.62345


Back to top