Summary:
First analyzed by Microsoft Threat Intelligence Center (MSTIC), WhisperGate was detected on January 13, 2022. According to MSTIC's report, this malware was released explicitly against various Ukrainian organizations in geopolitically motivated attacks. WhisperGate is a ransomware-type program. Usually, malicious software within this classification locks the infected device's screen (screenlocker) and/or encrypts files - to demand ransoms for the access recovery/ decryption. However, MSTIC noted that WhisperGate operates in a destructive manner and has no functionality that would enable recovery. On February 23, 2022, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices, manipulating the master boot record, which results in subsequent boot failure.
The attack itself is based on two different threats:
- CVE-2021-32648: An exploitable vulnerability in the october/system content management system, which is believed to be the main exploit behind WhisperGate.
- The actual malware which is tracked by MSTIC as DEV-0586.
Details:
The malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution.
The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system. The ransom note contains a Bitcoin wallet and Tox ID (a unique account identifier used in the Tox encrypted messaging protocol) that have not been previously observed by MSTIC:
Your hard drive has been corrupted.
In case you want to recover all hard drives of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.
The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse and that the malware destructs MBR and the contents of the files it targets.
Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system
Barracuda Networks:
Malicious URLs:
We have flagged any observed Discord URLs as malicious.
IPS Signature Protection:
Barracuda CloudGen Firewall Firmware Version 8.3: The following IPS signature was released on January 19, 2022 to protect against CVE-2021-32648
Barracuda CloudGen Firewall Firmware Versions 8.0.x and 8.2.x: The following IPS signature will be released on March 09, 2022 to protect against CVE-2021-32648
- 1230487 WEB October CMS Auth Bypass Vulnerability (CVE-2021-32648)
Malware Protection:
Together with our partner Avira we have released the following AV patterns to mitigate WhisperGate related activities on the networks.
Stage 1: TR/KillMBR.qtdxd
Stage 2: TR/Dldr.PsDownload.pegom
Stage 3: TR/Zapchast.IH