Wednesday 26 January 2022

Analysis of WhisperGate


Summary of the attack

  • Name: WhisperGate

  • Discovered in January 2022

  • Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022

  • Overwrites the contents of files with the fixed number of bytes

  • Rewrites MBR, corrupts victims’ files, downloads and drops its own files

  • Corrupted files have a random 4-byte extension

  • Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures

  • The third stage is .NET DLL, which is downloaded at runtime

                                                                                                by Denis Popov and Alexander Adamov