The malware, dubbed WhisperGate was discovered last week by Microsoft, which said it observed the destructive cyber campaign targeting the nation’s government, non-profit, and information technology entities, attributing the intrusions to an emerging threat cluster codenamed “DEV-0586.”
Several cyber attacks on Ukrainian government websites, including website hackings and destructive wiper malware, have made headlines in recent weeks as military tensions on the Russian/Ukrainian border have risen. Cisco Talos, a long-time intelligence partner and ally, quickly responded to provide assistance, collaborating with the SSSCIP, the National Police of Ukraine’s Cyberpolice Department, and the NCCC at the NSDC of Ukraine.
Cisco Talos researchers reported,” While WhisperGate shares some strategic similarities with the notorious NotPetya wiper that attacked Ukrainian entities in 2017, such as masquerading as ransomware and targeting and destroying the master boot record (MBR) rather than encrypting it.”
The WhisperGate infection chain is designed as a multi-stage process that begins with a payload that wipes the master boot record (MBR), then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that irreversibly destroys files on infected hosts by overwriting their content with fixed data.
First Stage – It is responsible for the initial attempt to wipe the systems. The malware executable deletes the master boot record (MBR) and replaces it with code that displays the ransom note. WhisperGate, like the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign.
Second Stage – The second stage of the infection chain is a downloader that retrieves a third stage from a hard-coded Discord server URL. The downloader begins by running a base64-encoded PowerShell command twice in order to put the endpoint to sleep for 20 seconds.
Third Stage – A DLL written in C# and obfuscated with Eazfuscator is the third stage of the infection chain. It is a dropper capable of delivering and executing a fourth-stage wiper payload.
Fourth Stage – In contrast to the first stage wiper, the primary goal of the fourth stage wiper is to delete all data on the endpoint. If the first-stage wiper fails to clear the endpoint, the fourth-stage wiper payload is most likely a backup plan.
The findings come a week after approximately 80 Ukrainian government websites were defaced, with Ukrainian intelligence agencies confirming that the twin incidents are part of a wave of malicious activities targeting the country’s critical infrastructure, while also noting that the attacks exploited recently disclosed Log4j vulnerabilities to gain access to some of the compromised systems.
Wired’s Andy Greenberg stated that ,”Russia is using the country as a cyberwar testing ground — a laboratory for perfecting new forms of global online combat in a 2017 deep dive into the attacks on its power grid that caused unprecedented blackouts in late 2015.
Finally the researchers concluded that ,” Systems in Ukraine face challenges that may not apply to those in other parts of the world, and extra safeguards and precautionary measures must be implemented, It is critical to ensure that those systems are both patched and hardened in order to help mitigate the threats that the region faces.”
INDICATORS OF COMPROMISE
Hashes
Stage 1 (MBR Wiper)
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
Stage 2 (Downloader)
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Stage 3 (Loader DLL)
923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
Stage 4 (File Wiper)
9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 