Microsoft has recently released an advisory about destructive malware against the Ukraine government which is being tracked as “Whispergate” and the possible association has been mapped to a threat group tracked as DEV-0586. The key aspect of this threat is that the malware is an MBR wiper.
Source/Credits/Written By: https://www.linkedin.com/in/vasudev-c/
The following seems to be the pattern which it follows:
Infiltration:
The infiltration of the threat is happening via a shared supplier known as Kitsoft.
Malware Execution:
This is a 2 stage attack. In the first stage, the malware resides in the system as stage1.exe. The possible locations where it gets stored are:
C:\perflogs\
C:\programdata\
C:\
C:\temp
On execution it overwrites the MBR ( master boot record ) and leaves a note similar to the below one:
Your hard drive has been corrupted. In case you want to recover all hard drivesof your organization,You should pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 with your organization name. We will contact you to give further instructions.
When the system is powered down the malware overwrites the MBR. The ransomware note just seems to be a ruse at this point.
In the second stage it downloads a file stage2.exe (which is hosted in Discord Channel) which on execution locates below hardcoded extensions:
.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP
If a file with the above extensions is found then they are overwritten with a fixed number of bytes 0xCC(1MB). After overwriting the file is renamed with a random 4-byte extension.
Indicators of Compromise:
| Indicator | Type | Description |
| a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 | SHA-256 | Hash of destructive malware stage1.exe |
| dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 | SHA-256 | Hash of stage2.exe |
| cmd.exe /Q /c start c:\stage1.exe 1> \\127.0.0.1\ADMIN$\__[TIMESTAMP] 2>&1 | Command line | Example Impacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions. |
Following are the key take aways:
- As of now this attack is limited to government of Ukraine however these methods of attack seems to be evolve and get sophisticated over time. Post that these impact almost all countries.
- From 2020 we have seen massive rise in supply-chain attacks which has had huge impact. In one instance a gas pipeline was impacted (Canonical). We need to ensure that Dev-Secops is implemented at all stages.
Sigma rules for detection:
Sigma Rule Github Link
Detection Rules:
Qradar:
SELECT UTF8(payload), “Filename”, “username” from events where LOGSOURCENAME(logsourceid) ilike ‘%antivirus%’ and ((“-Signature” ilike ‘%DoS:Win32/WhisperGate.A!dha%’ or “-Signature” ilike ‘%DoS:Win32/WhisperGate.C!dha%’ or “-Signature” ilike ‘%DoS:Win32/WhisperGate.H!dha%’ or “-Signature” ilike ‘%DoS:Win32/WhisperGate.X!dha%’) or (“-Filename” ilike ‘%stage1.exe%’ or “-Filename” ilike ‘%stage2.exe%’) or (“-Hash” ilike ‘%a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92%’ or “-Hash” ilike ‘%dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78%’)) or (UTF8(payload) ILIKE ‘%%/Q /c start c:\stage1.exe%%’ and UTF8(payload) ILIKE ‘%%/Q /c start c:\perflogs\stage1.exe%%’ and UTF8(payload) ILIKE ‘%%/Q /c start c:\programdata\stage1.exe%%’ and UTF8(payload) ILIKE ‘%%/Q /c start c:\temp\stage1.exe%%’)
Splunk:
(index=”antivirus” (((-Signature=”DoS:Win32/WhisperGate.A!dha” OR -Signature=”DoS:Win32/WhisperGate.C!dha” OR -Signature=”DoS:Win32/WhisperGate.H!dha” OR -Signature=”DoS:Win32/WhisperGate.X!dha“) OR (-Filename=”stage1.exe” OR -Filename=”stage2.exe“) OR (-Hash=”a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92” OR -Hash=”dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78“)) OR (-commandline=”/Q /c start c:\stage1.exe” -commandline=”/Q /c start c:\perflogs\stage1.exe” -commandline=”/Q /c start c:\programdata\stage1.exe” -commandline=”/Q /c start c:\temp\stage1.exe“))) | table FileName,User,Startdate,Enddate
Arcsight:
(categoryDeviceGroup = “/IDS/Host/AntiVirus” AND (((((deviceCustomString1 CONTAINS “DoS:Win32/WhisperGate.A!dha” OR deviceCustomString1 CONTAINS “DoS:Win32/WhisperGate.C!dha” OR deviceCustomString1 CONTAINS “DoS:Win32/WhisperGate.H!dha” OR deviceCustomString1 CONTAINS “DoS:Win32/WhisperGate.X!dha“) OR (deviceCustomString1 CONTAINS “stage1.exe” OR deviceCustomString1 CONTAINS “stage2.exe“) OR (deviceCustomString1 CONTAINS “a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92” OR deviceCustomString1 CONTAINS “dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78“))) OR (deviceCustomString1 CONTAINS “/Q /c start c:\stage1.exe” AND deviceCustomString1 CONTAINS “/Q /c start c:\perflogs\stage1.exe” AND deviceCustomString1 CONTAINS “/Q /c start c:\programdata\stage1.exe” AND deviceCustomString1 CONTAINS “/Q /c start c:\temp\stage1.exe“))))
Kibana:
((-Signature:(*DoS\:Win32\/WhisperGate.A\!dha* OR *DoS\:Win32\/WhisperGate.C\!dha* OR *DoS\:Win32\/WhisperGate.H\!dha* OR *DoS\:Win32\/WhisperGate.X\!dha*) OR -Filename:(*stage1.exe* OR *stage2.exe*) OR -Hash:(*a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92* OR *dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78*)) OR (-commandline:*\/Q\ \/c\ start\ c\:\\stage1.exe* AND -commandline:*\/Q\ \/c\ start\ c\:\\perflogs\\stage1.exe* AND -commandline:*\/Q\ \/c\ start\ c\:\\programdata\\stage1.exe* AND -commandline:*\/Q\ \/c\ start\ c\:\\temp\\stage1.exe*)) Apache Kafka: SELECT FileName, User, Startdate, Enddate FROM TABLE_NAME WHERE (((-Signature ilike '%DoS:Win32/WhisperGate.A!dha%' OR -Signature ilike '%DoS:Win32/WhisperGate.C!dha%' OR -Signature ilike '%DoS:Win32/WhisperGate.H!dha%' OR -Signature ilike '%DoS:Win32/WhisperGate.X!dha%') OR (-Filename ilike '%stage1.exe%' OR -Filename ilike '%stage2.exe%') OR (-Hash ilike '%a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92%' OR -Hash ilike '%dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78%')) OR (-commandline ilike '%/Q /c start c:\\stage1.exe%' AND -commandline ilike '%/Q /c start c:\\perflogs\\stage1.exe%' AND -commandline ilike '%/Q /c start c:\\programdata\\stage1.exe%' AND -commandline ilike '%/Q /c start c:\\temp\\stage1.exe%'));
GrayLog:
((-Signature.keyword:(*DoS\:Win32\/WhisperGate.A\!dha* *DoS\:Win32\/WhisperGate.C\!dha* *DoS\:Win32\/WhisperGate.H\!dha* *DoS\:Win32\/WhisperGate.X\!dha*) OR -Filename.keyword:(*stage1.exe* *stage2.exe*) OR -Hash.keyword:(*a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92* *dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78*)) OR (-commandline.keyword:*\/Q\ \/c\ start\ c\:\\stage1.exe* AND -commandline.keyword:*\/Q\ \/c\ start\ c\:\\perflogs\\stage1.exe* AND -commandline.keyword:*\/Q\ \/c\ start\ c\:\\programdata\\stage1.exe* AND -commandline.keyword:*\/Q\ \/c\ start\ c\:\\temp\\stage1.exe*)) LogPoint: ((-Signature IN ["*DoS:Win32/WhisperGate.A!dha*", "*DoS:Win32/WhisperGate.C!dha*", "*DoS:Win32/WhisperGate.H!dha*", "*DoS:Win32/WhisperGate.X!dha*"] OR -Filename IN ["*stage1.exe*", "*stage2.exe*"] OR -Hash IN ["*a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92*", "*dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78*"]) OR (-commandline="*/Q /c start c:\\stage1.exe*" -commandline="*/Q /c start c:\\perflogs\\stage1.exe*" -commandline="*/Q /c start c:\\programdata\\stage1.exe*" -commandline="*/Q /c start c:\\temp\\stage1.exe*")) RSA Netwitness: (((-Signature contains 'DoS:Win32/WhisperGate\.A!dha', 'DoS:Win32/WhisperGate\.C!dha', 'DoS:Win32/WhisperGate\.H!dha', 'DoS:Win32/WhisperGate\.X!dha') || (-Filename contains 'stage1\.exe', 'stage2\.exe') || (-Hash contains 'a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92', 'dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78')) || ((-commandline contains '/Q /c start c:\stage1.exe') && (-commandline contains '/Q /c start c:\perflogs\stage1.exe') && (-commandline contains '/Q /c start c:\programdata\stage1.exe') && (-commandline contains '/Q /c start c:\temp\stage1.exe')))