Rewterz Threat Alert – Ukraine Under Attack – Active IOCs

Severity

Medium

Analysis Summary

Tensions between the Ukranian and Russian governments have been running high. So much so that Russian has amassed over 100,000 troops on Ukraine’s eastern border, which has led many to believe that an invasion is impending. Cybersecurity is being used for cyber warfare all over the world and the same is happening with Ukraine. In mid January 2022, More than 70 websites of Ukrainian of Ministry of Foreign Affairs and a number of other government agencies were down temporarily and provocative messages were left on the websites.

At the same time, Microsoft found a new and unique malware that was infecting systems of Ukranian politicians and government affiliates. Dubbed as “WhisperGate,” this new malware is designed to render targeted devices inoperable and intended to be destructive.

Step 1: The malware is found in working directories C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is named stage1.exe. Impacket is then used by the threat actors to move laterally and for file execution. The MBR (Master Boot Record) is overwritten by the malware and the following ransom note is left:

Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.

Step 2: A malicious file-corrupter malware, Stage2.exe, is executed which is hosted on a Discord channel. In this step, files with the following extensions are corrupted:

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

Finally, the corrupter overwrites any of the files from the above extensions with a number of 0xCC bytes (total file size of 1MB). The files are the renamed with random 4 digit numbers.

• Cyber Espionage
• Data Theft
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• 5d5c99a08a7d927346ca2dafa7973fc1
• 14c8482f302b5e81e3fa1b18a509289d

SHA-256

• a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
• dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

SHA-1

• 189166d382c73c242ba45889d57980548d4ba37e
• 16525cb2fd86dce842107eb1ba6174b23f188537

Remediation

• Block all the threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders