1. Home
  2. Software
  3. WhisperGate

WhisperGate

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[1][2][3]

ID: S0689
Type: MALWARE
Platforms: Windows
Contributors: Phill Taylor, BT Security; Matt Brenton, Zurich Global Information Security
Version: 1.2
Created: 10 March 2022
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 伪装

WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.[4]
Enterprise T1620 反射性代码加载

WhisperGate's downloader can reverse its third stage file bytes and reflectively load the file as a .NET assembly.[5]
Enterprise T1140 反混淆/解码文件或信息

WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.[6][4]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.[2][6][4]
.003 命令与脚本解释器: Windows Command Shell

WhisperGate can use cmd.exe to execute commands.[2]
.005 命令与脚本解释器: Visual Basic

WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.[2][6]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.[2][6][4]
Enterprise T1071 .001 应用层协议: Web Protocols

WhisperGate can make an HTTPS connection to download additional files.[2][4]
Enterprise T1485 数据销毁

WhisperGate can corrupt files by overwriting the first 1 MB with 0xcc and appending random extensions.[3][7][1][2][6][4]
Enterprise T1083 文件和目录发现

WhisperGate can locate files based on hardcoded file extensions.[3][2][6][4]
Enterprise T1106 本机API

WhisperGate has used the ExitWindowsEx to flush file buffers to disk and stop running processes and other API calls.[6][5]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.[6][4][5]
Enterprise T1561 .001 磁盘擦除: Disk Content Wipe

WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.[7][6][4]
.002 磁盘擦除: Disk Structure Wipe

WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.[3][7][1][2][6][4]
Enterprise T1070 .004 移除指标: File Deletion

WhisperGate can delete tools from a compromised host after execution.[6]
Enterprise T1218 .004 系统二进制代理执行: InstallUtil

WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.[2]
Enterprise T1082 系统信息发现

WhisperGate has the ability to enumerate fixed logical drives on a targeted system.[6]
Enterprise T1529 系统关机/重启

WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.[6]
Enterprise T1569 .002 系统服务: Service Execution

WhisperGate can download and execute AdvancedRun.exe via sc.exe.[4][2]
Enterprise T1135 网络共享发现

WhisperGate can enumerate connected remote logical drives.[6]
Enterprise T1102 网络服务

WhisperGate can download additional payloads hosted on a Discord channel.[7][2][3][6][4]
Enterprise T1497 .001 虚拟化/沙盒规避: System Checks

WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.[2]
.003 虚拟化/沙盒规避: Time Based Evasion

WhisperGate can pause for 20 seconds to bypass antivirus solutions.[4][5]
Enterprise T1134 .002 访问令牌操控: Create Process with Token

The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via %TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run.[6]
Enterprise T1518 .001 软件发现: Security Software Discovery

WhisperGate can recognize the presence of monitoring tools on a target system.[2]
Enterprise T1105 输入工具传输

WhisperGate can download additional stages of malware from a Discord CDN channel.[3][2][6][4]
Enterprise T1055 .012 进程注入: Process Hollowing

WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility InstallUtil.exe.[6][5]
Enterprise T1542 .003 预操作系统引导: Bootkit

WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.[7][1][3][6][4]

Groups That Use This Software

ID Name References
G1003 Ember Bear

Ember Bear is associated with WhisperGate use against multiple victims in Ukraine.[8][9][10]

References

  1. Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022.
  2. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  3. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  4. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  5. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.
  1. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  2. Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.
  3. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  4. CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.
  5. Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.