Security researchers have revealed a detailed assessment of the WhisperGate wiper that devastated organisations based in Ukraine. WhisperGate has some similarities with the threat group called NotPetya – financially motivated cybercriminals that also have a motive of organisational disruption.
Microsoft explained that the wiper was designed by its operators to look and act like ransomware. However, instead of encrypting the data like typical ransomware, WhisperGate’s true objective is to inflict inoperable damages. Moreover, another researcher claimed that the threat actors stolen data provided the initial access for the distribution of the wiper.
WhisperGate and NotPetya both presented themselves as ransomware in their previous campaign, and both wipers entirely overwrite the MBR (Master Boot Record) with a ransom message.
Additionally, the WhisperGate will try to obliterate the C:\ partition by overwriting the disk with trash data. This method included wiping disk partitions that are commonly observed in wipers like NotPetya. Therefore, the process of attack of both wipers is undoubtedly similar.
In the additional stages of the WhisperGate campaign, a downloader acquires the necessary code for the next attack step. A Powershell command is relayed twice, resulting in the endpoint accessing the sleep mode for about 20 to 30 seconds.
A Discord URL is then pinged to grab a [.]dll file hidden by the Eazfuscator. This step distributes and operates the primary wiper malware through a VBScript. The payload also modified the Windows Defender settings to avoid the targeted drive from scans and checkups.
Researchers also uncovered multiple additional characteristics of the WhisperGate. It overwrites every file with 1MB worth of ‘0xCC’ bytes and renames it with a four-byte extension.
Unfortunately, files with specific extensions out of 192 extensions, such as [.]HTML, [.]PPT, [.]KEY, and [.]RAR, are wiped or destroyed. After the wiping process is finished, WhisperGate utilises a ping to run delayed command execution for removing the InstallerUtil[.]exe.
Lastly, the WhisperGate will attempt to flush all file buffers to disk and stop all running processes and itself by activating the ExitWindowsEx Windows API with the EWX_SHUTDOWN flag.
The recent revelation of the researchers regarding the attack chain of WhisperGate can help the organisation better understand and counteract the threat. Organisations should always employ an MFA to avoid credential-stealing and getting infected by any cybercrime threat.
