The malware, dubbed WhisperGate was discovered last week by Microsoft, which said it observed the destructive cyber campaign targeting the nation’s government, non-profit, and information technology entities, attributing the intrusions to an emerging threat cluster codenamed “DEV-0586.”
Several cyber attacks on Ukrainian government websites, including website hackings and destructive wiper malware, have made headlines in recent weeks as military tensions on the Russian/Ukrainian border have risen. Cisco Talos, a long-time intelligence partner and ally, quickly responded to provide assistance, collaborating with the SSSCIP, the National Police of Ukraine’s Cyberpolice Department, and the NCCC at the NSDC of Ukraine.
Cisco Talos researchers reported,” While WhisperGate shares some strategic similarities with the notorious NotPetya wiper that attacked Ukrainian entities in 2017, such as masquerading as ransomware and targeting and destroying the master boot record (MBR) rather than encrypting it.”
The WhisperGate infection chain is designed as a multi-stage process that begins with a payload that wipes the master boot record (MBR), then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that irreversibly destroys files on infected hosts by overwriting their content with fixed data.
First Stage – It is responsible for the initial attempt to wipe the systems. The malware executable deletes the master boot record (MBR) and replaces it with code that displays the ransom note. WhisperGate, like the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign.
Second Stage – The second stage of the infection chain is a downloader that retrieves a third stage from a hard-coded Discord server URL. The downloader begins by running a base64-encoded PowerShell command twice in order to put the endpoint to sleep for 20 seconds.
Third Stage – A DLL written in C# and obfuscated with Eazfuscator is the third stage of the infection chain. It is a dropper capable of delivering and executing a fourth-stage wiper payload.
Fourth Stage – In contrast to the first stage wiper, the primary goal of the fourth stage wiper is to delete all data on the endpoint. If the first-stage wiper fails to clear the endpoint, the fourth-stage wiper payload is most likely a backup plan.
The findings come a week after approximately 80 Ukrainian government websites were defaced, with Ukrainian intelligence agencies confirming that the twin incidents are part of a wave of malicious activities targeting the country’s critical infrastructure, while also noting that the attacks exploited recently disclosed Log4j vulnerabilities to gain access to some of the compromised systems.
Wired’s Andy Greenberg stated that ,”Russia is using the country as a cyberwar testing ground — a laboratory for perfecting new forms of global online combat in a 2017 deep dive into the attacks on its power grid that caused unprecedented blackouts in late 2015.
Finally the researchers concluded that ,” Systems in Ukraine face challenges that may not apply to those in other parts of the world, and extra safeguards and precautionary measures must be implemented, It is critical to ensure that those systems are both patched and hardened in order to help mitigate the threats that the region faces.”
INDICATORS OF COMPROMISE
Stage 1 (MBR Wiper)
Stage 2 (Downloader)
Stage 3 (Loader DLL)
Stage 4 (File Wiper)