Cyble-Whisper-Malware-Analysis

WhisperGate Malware Deep-dive Analysis

On January 13, 2022, Microsoft discovered evidence of a malware campaign targeting government organizations in Ukraine and published a report. The attack uses destructive wiper malware called WhisperGate that executes in several stages. So far it has been identified as targeting Windows-based computers, and the main objective of the malware appears to be data destruction. This malware has the potential to be used by threat groups for malicious purposes such as disrupting the services of any government agencies, non-profit organizations, or entities located in Ukraine.

We discovered that the malware overwrites the Master Boot Record (MBR) and displays a ransom message during the initial stage of the assault, as shown in Figure 1.

Figure 1: Ransom Note

The WhisperGate malware has several stages of infection, and the final payload encrypts files and changes the file extensions as well.

Figure 2 shows the different stages of malware.

Figure 2: Description of Multistage Malware

Technical Analysis

We have analyzed the samples mentioned in the Microsoft report, and in this blog, we will conduct a deep-dive technical analysis of the WhisperGate malware used in the attack.

Stage 1 Malware Analysis:

The stage1.exe is not packed and a 32-bit PE file was created on January 10, 2022, using GCC compiler.

Figure 3: Basic Static Information of Stage-1 Malware

Upon execution, the malware moves ransom notes in the memory and calls the CreateFileW() API to get the handle of the MBR. The malware then writes ransom notes in the MBR using WriteFile() API. We observed that only 512 bytes of MBR are overwritten.

Figure 4: Code for MBR Overwriting

The below figure shows the ransom note present in the malware sample.

Figure 5: Overwritten MBR

Stage 2 Malware Analysis

The stage2.exe is a 32-bit PE, .NET binary that was created on the same date, January 10, 2022, as the stage1.exe.

Figure 6: Basic Information of Stage2 EXE

The description of stage2.exe is written using the Russian language and it pretends to be a Microsoft file.

Figure 7: Description of stage2.exe in the Russian Language

Our research indicates that the TAs have used an invalid Digital Signature signed by Microsoft to bypass the security checks.

Figure 8: Fake Microsoft Digital Certificate

The stage2.exe is a downloader that downloads another (Stage3 malware) file named Tbopbh.jpg from a Discord server. The URL and IP details are mentioned below.

  • URL: hxxs://cdn[.]discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh[.]jpg,
  • IP address: 162[.]159[.]133[.]233
Figure 9: Discord Link to Download Stage-3 Malware

Stage 3 Malware Analysis

The stage-3 malware downloaded from the Discord server is a PE file saved in the reverse order, as shown in Figure 4.

Figure 10: Reversed Order of the Bytes

Upon reversing the order of the bytes in the file, we found a .NET assembly DLL file named Frkmlkdkdubkznbkmcf.dll, which contains two resources, as shown in Figure 11.

Figure 11:Embedded Resources & Main Function

The malware loads the resource named 78c855a088924e92a7f60d661c3d1845 into memory and generates a new .NET DLL file named zx_fee6cce9db1d42510801fc1ed0e09452.dll.The newly generated DLL file contains two resources named AdvancedRun and Waqybg. The AdvancedRun stops Windows Defender from running and disables it. The malware then loads the other resource named Waqybg into memory and generates a stage-4 final payload for encrypting the victims’ files.

Figure 12: Two more Resources used for Further Execution

Stage 4 Malware Analysis

The stage-4 malware is a 32-bit PE file created using the GCC compiler.

Figure 13:Basic Static Information of Stage-4 Malware

The stage-4 malware is a corrupter that searches for about 120 different file extensions within the victim’s system and encrypts them. It appends the file name with a random four-byte extension and renames the encrypted files. Finally, the malware uses the ping command listed below to remove itself from the machine after overwriting the targeted files.

cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”[Filepath]\

Figure 14: Code for Corrupting the Files

Additional Information

Based on our Darkweb intel we found that threat actors allegedly leaked data of several departments of the Government of Ukraine. Also, both Darkweb leak data and ransom note contains the details of TOX IDs which is a common channel for their communication. Therefore, we suspect that the data leaked is associated with the attack reported by Microsoft.

Figure 15: Activity on Dark Web Forums

Conclusion  

​We analyzed the WhisperGate multistage malware samples and found it to have a complicated modus operandi. Unlike other ransomware families, the malware overwrites the MBR and displays a ransom message during the initial stage of the assault. The malware does not have a decryption or data recovery mechanism, and the recovery of the encrypted is not possible technically. Based on the above analysis, we suspect that the objective of the malware is to damage the victim systems rather than demand ransom.

Our Recommendations 

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • ​Don’t keep important files at common locations such as the Desktop, My Documents, etc.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • ​Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

​Tactic ​Technique ID ​Technique Name 
​Execution T1204 ​User Execution 
ImpactT1531
T1485
T1561
T1489
T1486
T1565
Account Access Removal
Data Destruction
Disk Wipe
Service Stop
Data Encrypted for Impact
Data Manipulation
DiscoveryT1518
T1087  
T1083  
Security Software Discovery  
Account Discovery  
File and Directory Discovery

Indicators Of Compromise (IoCs)

​Indicators​Indicator type ​Description 
189166d382c73c242ba45889d57980548d4ba37e​SHA-1 ​Stage1.exe 
16525cb2fd86dce842107eb1ba6174b23f188537SHA-1Stage2.exe
b2d863fc444b99c479859ad7f012b840f896172eSHA-1Stage3.exe
a67205dc84ec29eb71bb259b19c1a1783865c0fcSHA-1Stage4.exe
82d29b52e35e7938e7ee610c04ea9daaf5e08e90SHA-1Stage 3 embedded DLL
hxxs://cdn[.]discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh[.]jpgDiscord Server URLDownloader
162[.]159[.]133[.]233Discord Server IPDownloader
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfvAddressBitcoin Wallet
8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65IDTox

Yara Rules:

rule Whispergate_Stage_1 {
    meta:
      description = "Detects first stage payload from WhisperGate"
      author = "mmuir@cadosecurity.com"
      date = "2022-01-17"
      license = "Apache License 2.0"
      hash = "a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92"
    strings:
      $a = { 31 41 56 4E 4D 36 38 67 6A 36 50 47 50 46 63 4A 75 66 74 4B 41 54 61 34 57 4C 6E 7A 67 38 66 70 66 76 }
      $b = { 38 42 45 44 43 34 31 31 30 31 32 41 33 33 42 41 33 34 46 34 39 31 33 30 44 30 46 31 38 36 39 39 33 43 36 41    
      33 32 44 41 44 38 39 37 36 46 36 41 35 44 38 32 43 31 45 44 32 33 30 35 34 43 30 35 37 45 43 45 44 35 34 39 36 46  
      36 35 }
      $c = { 24 31 30 6B 20 76 69 61 20 62 69 74 63 6F 69 6E 20 77 61 6C 6C 65 74 }
      $d = { 74 6F 78 20 49 44 }
    condition:
      uint16(0) == 0x5A4D and all of them
}
rule Whispergate_Stage_2 {
    meta:
      description = "Detects second stage payload from WhisperGate"
      author = "mmuir@cadosecurity.com"
      date = "2022-01-17"
      license = "Apache License 2.0"
      hash = "dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78"
    strings:
      $a = { 6D 5F 49 6E 74 65 72 63 65 70 74 6F 72 }
      $b = { 6D 5F 62 31 36 65 37 33 65 30 64 61 61 63 34 62 34 33 62 36 35 36 36 39 30 31 62 35 34 32 34 63 35 33 }
      $c = { 6D 5F 34 33 37 37 33 32 63 65 65 35 66 35 34 64 37 64 38 34 61 64 64 37 62 64 33 30 39 37 64 33 63 61 }
      $d = { 6D 5F 30 64 62 39 37 30 38 63 66 36 34 39 34 30 38 32 39 66 39 61 66 38 37 65 64 65 65 64 66 36 30 65 }
      $e = { 6D 5F 65 31 34 33 33 31 36 38 32 30 62 31 34 64 30 33 38 38 61 37 32 37 34 34 33 38 65 63 30 37 38 64 }
      $f = { 6D 5F 66 33 31 30 39 30 63 37 31 35 64 65 34 62 30 62 61 62 64 33 31 61 36 33 34 31 31 30 34 36 63 38 }
      $g = { 6D 5F 36 31 31 64 31 61 62 63 33 32 66 63 34 66 64 38 61 33 34 65 30 34 34 66 39 37 33 34 34 31 64 61 }
      $h = { 6D 5F 37 37 34 62 39 32 31 30 64 39 38 31 34 32 65 62 62 34 34 31 33 35 35 39 64 61 61 65 35 61 34 34 }
    condition:
      uint16(0) == 0x5A4D and all of them
}

Figure 16: Yara Rules (Source: cadosecurity)

Scroll to Top