On January 13, 2022, Microsoft discovered evidence of a malware campaign targeting government organizations in Ukraine and published a report. The attack uses destructive wiper malware called WhisperGate that executes in several stages. So far it has been identified as targeting Windows-based computers, and the main objective of the malware appears to be data destruction. This malware has the potential to be used by threat groups for malicious purposes such as disrupting the services of any government agencies, non-profit organizations, or entities located in Ukraine.
We discovered that the malware overwrites the Master Boot Record (MBR) and displays a ransom message during the initial stage of the assault, as shown in Figure 1.

The WhisperGate malware has several stages of infection, and the final payload encrypts files and changes the file extensions as well.
Figure 2 shows the different stages of malware.

Technical Analysis
We have analyzed the samples mentioned in the Microsoft report, and in this blog, we will conduct a deep-dive technical analysis of the WhisperGate malware used in the attack.
Stage 1 Malware Analysis:
The stage1.exe is not packed and a 32-bit PE file was created on January 10, 2022, using GCC compiler.

Upon execution, the malware moves ransom notes in the memory and calls the CreateFileW() API to get the handle of the MBR. The malware then writes ransom notes in the MBR using WriteFile() API. We observed that only 512 bytes of MBR are overwritten.

The below figure shows the ransom note present in the malware sample.

Stage 2 Malware Analysis
The stage2.exe is a 32-bit PE, .NET binary that was created on the same date, January 10, 2022, as the stage1.exe.

The description of stage2.exe is written using the Russian language and it pretends to be a Microsoft file.

Our research indicates that the TAs have used an invalid Digital Signature signed by Microsoft to bypass the security checks.

The stage2.exe is a downloader that downloads another (Stage3 malware) file named Tbopbh.jpg from a Discord server. The URL and IP details are mentioned below.
- URL: hxxs://cdn[.]discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh[.]jpg,
- IP address: 162[.]159[.]133[.]233

Stage 3 Malware Analysis
The stage-3 malware downloaded from the Discord server is a PE file saved in the reverse order, as shown in Figure 4.

Upon reversing the order of the bytes in the file, we found a .NET assembly DLL file named Frkmlkdkdubkznbkmcf.dll, which contains two resources, as shown in Figure 11.

The malware loads the resource named 78c855a088924e92a7f60d661c3d1845 into memory and generates a new .NET DLL file named zx_fee6cce9db1d42510801fc1ed0e09452.dll.The newly generated DLL file contains two resources named AdvancedRun and Waqybg. The AdvancedRun stops Windows Defender from running and disables it. The malware then loads the other resource named Waqybg into memory and generates a stage-4 final payload for encrypting the victims’ files.

Stage 4 Malware Analysis
The stage-4 malware is a 32-bit PE file created using the GCC compiler.

The stage-4 malware is a corrupter that searches for about 120 different file extensions within the victim’s system and encrypts them. It appends the file name with a random four-byte extension and renames the encrypted files. Finally, the malware uses the ping command listed below to remove itself from the machine after overwriting the targeted files.
cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”[Filepath]\

Additional Information
Based on our Darkweb intel we found that threat actors allegedly leaked data of several departments of the Government of Ukraine. Also, both Darkweb leak data and ransom note contains the details of TOX IDs which is a common channel for their communication. Therefore, we suspect that the data leaked is associated with the attack reported by Microsoft.

Conclusion
​We analyzed the WhisperGate multistage malware samples and found it to have a complicated modus operandi. Unlike other ransomware families, the malware overwrites the MBR and displays a ransom message during the initial stage of the assault. The malware does not have a decryption or data recovery mechanism, and the recovery of the encrypted is not possible technically. Based on the above analysis, we suspect that the objective of the malware is to damage the victim systems rather than demand ransom.
​Our Recommendations
​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- ​Don’t keep important files at common locations such as the Desktop, My Documents, etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- ​Refrain from opening untrusted links and email attachments without verifying their authenticity.
- ​Conduct regular backup practices and keep those backups offline or in a separate network.
​
MITRE ATT&CK® Techniques
​Tactic | ​Technique ID | ​Technique Name |
​Execution | ​T1204 | ​User Execution |
Impact | T1531 T1485 T1561 T1489 T1486 T1565 | Account Access Removal Data Destruction Disk Wipe Service Stop Data Encrypted for Impact Data Manipulation |
Discovery | T1518 T1087  T1083  | Security Software Discovery  Account Discovery  File and Directory Discovery |
Indicators Of Compromise (IoCs)
​Indicators | ​Indicator type | ​Description |
​ 189166d382c73c242ba45889d57980548d4ba37e | ​SHA-1 | ​Stage1.exe |
16525cb2fd86dce842107eb1ba6174b23f188537 | SHA-1 | Stage2.exe |
b2d863fc444b99c479859ad7f012b840f896172e | SHA-1 | Stage3.exe |
a67205dc84ec29eb71bb259b19c1a1783865c0fc | SHA-1 | Stage4.exe |
82d29b52e35e7938e7ee610c04ea9daaf5e08e90 | SHA-1 | Stage 3 embedded DLL |
hxxs://cdn[.]discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh[.]jpg | Discord Server URL | Downloader |
162[.]159[.]133[.]233 | Discord Server IP | Downloader |
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv | Address | Bitcoin Wallet |
8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 | ID | Tox |
Yara Rules:
rule Whispergate_Stage_1 {
meta:
description = "Detects first stage payload from WhisperGate"
author = "mmuir@cadosecurity.com"
date = "2022-01-17"
license = "Apache License 2.0"
hash = "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92"
strings:
$a = { 31 41 56 4E 4D 36 38 67 6A 36 50 47 50 46 63 4A 75 66 74 4B 41 54 61 34 57 4C 6E 7A 67 38 66 70 66 76 }
$b = { 38 42 45 44 43 34 31 31 30 31 32 41 33 33 42 41 33 34 46 34 39 31 33 30 44 30 46 31 38 36 39 39 33 43 36 41
33 32 44 41 44 38 39 37 36 46 36 41 35 44 38 32 43 31 45 44 32 33 30 35 34 43 30 35 37 45 43 45 44 35 34 39 36 46
36 35 }
$c = { 24 31 30 6B 20 76 69 61 20 62 69 74 63 6F 69 6E 20 77 61 6C 6C 65 74 }
$d = { 74 6F 78 20 49 44 }
condition:
uint16(0) == 0x5A4D and all of them
}
rule Whispergate_Stage_2 {
meta:
description = "Detects second stage payload from WhisperGate"
author = "mmuir@cadosecurity.com"
date = "2022-01-17"
license = "Apache License 2.0"
hash = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
strings:
$a = { 6D 5F 49 6E 74 65 72 63 65 70 74 6F 72 }
$b = { 6D 5F 62 31 36 65 37 33 65 30 64 61 61 63 34 62 34 33 62 36 35 36 36 39 30 31 62 35 34 32 34 63 35 33 }
$c = { 6D 5F 34 33 37 37 33 32 63 65 65 35 66 35 34 64 37 64 38 34 61 64 64 37 62 64 33 30 39 37 64 33 63 61 }
$d = { 6D 5F 30 64 62 39 37 30 38 63 66 36 34 39 34 30 38 32 39 66 39 61 66 38 37 65 64 65 65 64 66 36 30 65 }
$e = { 6D 5F 65 31 34 33 33 31 36 38 32 30 62 31 34 64 30 33 38 38 61 37 32 37 34 34 33 38 65 63 30 37 38 64 }
$f = { 6D 5F 66 33 31 30 39 30 63 37 31 35 64 65 34 62 30 62 61 62 64 33 31 61 36 33 34 31 31 30 34 36 63 38 }
$g = { 6D 5F 36 31 31 64 31 61 62 63 33 32 66 63 34 66 64 38 61 33 34 65 30 34 34 66 39 37 33 34 34 31 64 61 }
$h = { 6D 5F 37 37 34 62 39 32 31 30 64 39 38 31 34 32 65 62 62 34 34 31 33 35 35 39 64 61 61 65 35 61 34 34 }
condition:
uint16(0) == 0x5A4D and all of them
}
Figure 16: Yara Rules (Source: cadosecurity)
Comments are closed.