S0689 WhisperGate
WhisperGate is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.123
| Item | Value |
|---|---|
| ID | S0689 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 10 March 2022 |
| Last Modified | 10 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | WhisperGate can make an HTTPS connection to download additional files.25 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.245 |
| enterprise | T1059.003 | Windows Command Shell | WhisperGate can use cmd.exe to execute commands.2 |
| enterprise | T1059.005 | Visual Basic | WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.24 |
| enterprise | T1485 | Data Destruction | WhisperGate can corrupt files by overwriting the first 1 MB with 0xcc and appending random extensions.361245 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.45 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | WhisperGate can overwrite sectors of a victim host’s hard drive at periodic offsets.645 |
| enterprise | T1561.002 | Disk Structure Wipe | WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.361245 |
| enterprise | T1083 | File and Directory Discovery | WhisperGate can locate files based on hardcoded file extensions.3245 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | WhisperGate can download and execute AdvancedRun.exe to disable Windows Defender Theat Protection via sc.exe.245 |
| enterprise | T1070 | Indicator Removal on Host | - |
| enterprise | T1070.004 | File Deletion | WhisperGate can delete tools from a compromised host after execution.4 |
| enterprise | T1105 | Ingress Tool Transfer | WhisperGate can download additional stages of malware from a Discord CDN channel.3245 |
| enterprise | T1036 | Masquerading | WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.5 |
| enterprise | T1106 | Native API | WhisperGate has used the ExitWindowsEx API to flush file buffers to disk and stop running processes.4 |
| enterprise | T1027 | Obfuscated Files or Information | WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.45 |
| enterprise | T1542 | Pre-OS Boot | - |
| enterprise | T1542.003 | Bootkit | WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.61345 |
| enterprise | T1055 | Process Injection | WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility InstallUtil.exe.4 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | WhisperGate can recognize the presence of monitoring tools on a target system.2 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.004 | InstallUtil | WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.2 |
| enterprise | T1082 | System Information Discovery | WhisperGate has the ability to enumerate fixed logical drives on a targeted system.4 |
| enterprise | T1049 | System Network Connections Discovery | WhisperGate can enumerate connected remote logical drives.4 |
| enterprise | T1529 | System Shutdown/Reboot | WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.4 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.001 | Default Accounts | The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group.4 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.2 |
| enterprise | T1497.003 | Time Based Evasion | WhisperGate can pause for 20 seconds to bypass antivirus solutions.5 |
| enterprise | T1102 | Web Service | WhisperGate can download additional payloads hosted on a Discord channel.62345 |
References
-
Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022. ↩↩↩↩
-
Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022. ↩↩↩↩↩↩↩
-
Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022. ↩↩↩↩↩