WhisperGate Malware Corrupts Computers in Ukraine

WhisperGate Malware Corrupts Computers in Ukraine

insikt-logo-blog.png
This report is a technical overview of the WhisperGate malware reported by Microsoft Threat Intelligence on January 15, 2022. It is intended for those looking for a high-level overview of the malware’s TTPs and mitigations.

Executive Summary

WhisperGate is a new malware family being used in an ongoing operation targeting multiple industries in Ukraine, including government, non-profit, and information technology organizations. The malware is a 3-stage master boot record (MBR) wiper designed to destroy a victim’s MBR and corrupt files on attached storage devices. Each stage of the malware has a discrete task: stage 1 overwrites the MBR with a ransom note and code to overwrite sections on each drive found, stage 2 downloads and executes stage 3, which is hosted on Discord’s CDN as a JPG attachment, and stage 3 corrupts any file that matches a list of 191 file extensions. The developers of the malware use obfuscation, particularly in stage 3, to evade detection and analysis. WhisperGate wipes and corrupts a Windows system to the point where files and drives are no longer recoverable or usable. Details around the motive for WhisperGate and the threat actor behind the attacks are still emerging. These attacks take place in the context of an escalating risk of a Russian invasion of Ukraine and the Ukrainian government website defacements that occurred on January 14, 2022.

Key Judgments

Background

On January 15, 2022, Microsoft reported a destructive malware operation targeting multiple organizations in Ukraine. This activity has not been attributed to any existing threat actor group and is therefore being tracked using Microsoft's DEV-#### naming convention, which is used to track unknown emerging clusters of threat activity. This group has been given the designation DEV-0586 until it is eventually converted to a named actor or merged with an existing actor. Microsoft started seeing this malicious activity on January 13, 2022, which led to the investigation that uncovered a new malware family that is being tracked as WhisperGate.

WhisperGate Technical Analysis

The WhisperGate malware has 3 stages, detailed below in Figure 1. All 3 stages must be executed prior to the machine rebooting for maximum effect. Stage 1 corrupts the MBR of the victim’s boot disk and upon reboot will corrupt other drives on the system. Stage 2 downloads stage 3, which is used to corrupt files on attached file systems and network drives. File damage will occur if even just one of either stage 1 or stage 2 executes successfully. In testing, we found that GUID Partition Table (GPT) disks are not irreparably destroyed by WhisperGate’s stage 1 malware and therefore are partially immune to that stage of the malware. We speculate that the inclusion of stage 2 and 3 may be a way to ensure that victims using GPT-style boot disks are affected by the malware too. However, stage 3 also targets remote network drives, which would cause further damage regardless of the partitioning scheme used by the victim’s boot disk.

whispergate-malware-corrupts-computers-ukraine-1-1.png
Figure 1: Stages of WhisperGate malware (Source: Recorded Future)
Stage 1: Overwrite Master Boot Record (MBR)

Stage 1 is compiled using the Minimalist GNU for Windows (MinGW) development environment, which supports GNU Compiler Collection (GCC) 6.3.0 on Windows. The binary’s primary objective is to overwrite the MBR of “\\.\PhysicalDrive0” with a custom MBR whose effect won’t be seen until the machine reboots. At startup, the computer’s BIOS determines the disk order to use when looking for the MBR. Overwriting the MBR on PhysicalDrive0 is making an assumption that that disk is the first one in line to be checked by the BIOS, which is normally a reasonable assumption. Once the machine reboots and the custom MBR code executes, the user is presented with the ransom note displayed in Figure 2.

whispergate-malware-corrupts-computers-ukraine-2-1.png
Figure 2: Ransom note displayed after stage 1 of WhisperGate is executed (Source: Recorded Future)

After displaying the ransom note, the MBR code overwrites sections of each drive, on 199-byte intervals, with the contents shown in Figure 3. The content written to each drive differs at the sixth byte, incrementing sequentially from 0x00.

whispergate-malware-corrupts-computers-ukraine-3-1.png
Figure 3: Hex view of the contents that are written to disk (Source: Recorded Future)

The MBR code writes the content multiple times to each drive by making extended write function calls via interrupt 0x13, as shown in Figure 4.

whispergate-malware-corrupts-computers-ukraine-4-1.png
Figure 4: MBR instructions that enumerate the drives and overwrite sections on each disk found (Source: Recorded Future)

In the event that a victim is using GPT-style partition tables on their boot disk, then stage 1 will not be effective. Upon reboot, Windows will not be able to boot; however, WhisperGate’s MBR code, which corrupts the disk drives, will not run. Since GPT disks maintain a backup copy of the GPT table at the end of a disk, victims can restore the GPT table by running a live Linux distribution and using the gdisk utility’s recovery command like shown in Figure 5.

whispergate-malware-corrupts-computers-ukraine-5-1.png
Figure 5: Restoring the corrupted GPT table with the gdisk recovery command (Source: Recorded Future)
Stage 2: Downloader

Stage 2 is written in .NET, and its primary functionality is to download the third stage of the malware and execute it. It begins execution after 20 seconds, using the PowerShell command “_powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==_”, which decodes to “_Start-Sleep -s 10_”. The 10-second delay is executed twice and is likely used to help the malware evade detection by AV engines. The malware retrieves the third stage from a Discord attachment hosted on https://cdn[.]discordapp[.]com, named Tbopbh.jpg. Stage 2 reverses the JPG file’s bytes, reflectively loads the JPG file as a .NET assembly, and then calls the exported function “_Ylfwdwgmpilzyaph_”.

Stage 3: File Corrupter

Stage 3 of the malware is written in .NET and obfuscated with eazfuscator. Upon execution, 2 embedded PE executable resources (AdvancedRun and Wagybg) are unpacked, decoded, and GZIP decompressed. Next, a .vbs script is written to “%AppData%\local\Temp\Nmddfrqqrbyjeygggda.vbs” and executed with Wscript.exe. The script, shown in Figure 6, is used to exclude the entire C drive from being scanned by Windows Defender.

whispergate-malware-corrupts-computers-ukraine-6-1.png
Figure 6: Contents of “%AppData%\local\Temp\Nmddfrqqrbyjeygggda.vbs” (Source: Recorded Future)

AdvancedRun is then executed to stop the Windows Defender service and delete its program data folder. AdvancedRun is benign software developed by NirSoft and used to run programs under different settings. The author used AdvancedRun due to its ability to run programs with TrustedInstaller privileges, which are needed to execute the command that disables Windows Defender. Figures 7 and 8 show the command line arguments used to run AdvancedRun.exe. The use of the “_/RunAs 8_” argument instructs AdvancedRun to use the TrustedInstaller privileges.

whispergate-malware-corrupts-computers-ukraine-7-1.png
Figure 7: “AdvancedRun.exe” stopping the Windows Defender service (Source: Recorded Future)
whispergate-malware-corrupts-computers-ukraine-8-1.png
Figure 8: “AdvancedRun.exe” recursively deleting Windows Defender’s program data (Source: Recorded Future)

Finally, Wagybg is run via process hollowing in an InstallUtil.exe process. A similar technique was used to load the Netwire trojan in 2019 as part of a phishing campaign. InstallUtil is a benign program produced by Microsoft and distributed as part of the .NET framework.

This stage of the malware is used to perform file corruption. It first gets a list of logical drives on the system by calling GetLogicalDrives(), then identifies those that are fixed media or network drives. The malware searches these drives for files ending in 1 of the 191 file extensions shown in Figure 9 below. It then corrupts matching files by overwriting the first 1 MiB of each file with 0xCC bytes.

whispergate-malware-corrupts-computers-ukraine-9-1.png
Figure 9: Targeted file extensions (Source: Recorded Future)

After it finishes corrupting files, the corrupter sends 5 ping requests to 111.111.111[.]111 and then deletes itself as shown in Figure 10. While it is unclear exactly why the malware makes the ping requests, we speculate that it could be to add a time delay before deleting itself or to keep a record of infected hosts.

whispergate-malware-corrupts-computers-ukraine-10-1.png
Figure 10: Self-deletion function used by the file corrupter (Source: Recorded Future)

Mitigations

We recommend that organizations consider an offsite backup strategy to protect their data from the destruction capabilities of the WhisperGate malware.

Outlook

As of this writing, it appears that DEV-0586 has only been using WhisperGate to target organizations in Ukraine. We expect more information about this threat actor, including attribution, will be published over the next few days or weeks. Now that WhisperGate has been publicly reported and security professionals have been alerted to the malware, it is possible that the developers of WhisperGate will alter the wiper to better evade detections.