Skip to content

S0689 WhisperGate

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.123

Item Value
ID S0689
Associated Names
Version 1.1
Created 10 March 2022
Last Modified 05 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via %TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols WhisperGate can make an HTTPS connection to download additional files.26
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.246
enterprise T1059.003 Windows Command Shell WhisperGate can use cmd.exe to execute commands.2
enterprise T1059.005 Visual Basic WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.24
enterprise T1485 Data Destruction WhisperGate can corrupt files by overwriting the first 1 MB with 0xcc and appending random extensions.371246
enterprise T1140 Deobfuscate/Decode Files or Information WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.46
enterprise T1561 Disk Wipe -
enterprise T1561.001 Disk Content Wipe WhisperGate can overwrite sectors of a victim host’s hard drive at periodic offsets.746
enterprise T1561.002 Disk Structure Wipe WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.371246
enterprise T1083 File and Directory Discovery WhisperGate can locate files based on hardcoded file extensions.3246
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.246
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion WhisperGate can delete tools from a compromised host after execution.4
enterprise T1105 Ingress Tool Transfer WhisperGate can download additional stages of malware from a Discord CDN channel.3246
enterprise T1036 Masquerading WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.6
enterprise T1106 Native API WhisperGate has used the ExitWindowsEx to flush file buffers to disk and stop running processes and other API calls.45
enterprise T1135 Network Share Discovery WhisperGate can enumerate connected remote logical drives.4
enterprise T1027 Obfuscated Files or Information WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.465
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.71346
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility InstallUtil.exe.45
enterprise T1620 Reflective Code Loading WhisperGate‘s downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.5
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery WhisperGate can recognize the presence of monitoring tools on a target system.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.2
enterprise T1082 System Information Discovery WhisperGate has the ability to enumerate fixed logical drives on a targeted system.4
enterprise T1569 System Services -
enterprise T1569.002 Service Execution WhisperGate can download and execute AdvancedRun.exe via sc.exe.62
enterprise T1529 System Shutdown/Reboot WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.4
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.2
enterprise T1497.003 Time Based Evasion WhisperGate can pause for 20 seconds to bypass antivirus solutions.65
enterprise T1102 Web Service WhisperGate can download additional payloads hosted on a Discord channel.72346

Groups That Use This Software

ID Name References
G1003 Ember Bear 89