Tensions between the Ukranian and Russian governments have been running high. So much so that Russian has amassed over 100,000 troops on Ukraine’s eastern border, which has led many to believe that an invasion is impending. Cybersecurity is being used for cyber warfare all over the world and the same is happening with Ukraine. In mid January 2022, More than 70 websites of Ukrainian of Ministry of Foreign Affairs and a number of other government agencies were down temporarily and provocative messages were left on the websites.
At the same time, Microsoft found a new and unique malware that was infecting systems of Ukranian politicians and government affiliates. Dubbed as “WhisperGate,” this new malware is designed to render targeted devices inoperable and intended to be destructive.
Step 1: The malware is found in working directories C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is named stage1.exe. Impacket is then used by the threat actors to move laterally and for file execution. The MBR (Master Boot Record) is overwritten by the malware and the following ransom note is left:
Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.
Step 2: A malicious file-corrupter malware, Stage2.exe, is executed which is hosted on a Discord channel. In this step, files with the following extensions are corrupted:
.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP
Finally, the corrupter overwrites any of the files from the above extensions with a number of 0xCC bytes (total file size of 1MB). The files are the renamed with random 4 digit numbers.