Wednesday 26 January 2022

Analysis of WhisperGate

 

Summary of the attack

  • Name: WhisperGate

  • Discovered in January 2022

  • Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022

  • Overwrites the contents of files with the fixed number of bytes

  • Rewrites MBR, corrupts victims’ files, downloads and drops its own files

  • Corrupted files have a random 4-byte extension

  • Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures

  • The third stage is .NET DLL, which is downloaded at runtime


                                                                                                by Denis Popov and Alexander Adamov

Introduction

On January 13, 2022, multiple government sites in Ukraine were shut down due to a large-scale cyberattack by WhisperGate malware. In particular, the websites of the Cabinet of Ministers, the Ministry of Foreign Affairs, the Ministry of Sports, the Ministry of Energy, the Ministry of Agrarian Policy, the Ministry of Veterans Affairs, the website of the State Treasury, and state services website Diya stopped working. All users received a note with the following warning:

"Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover them. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, for the OUN UPA, for Galicia, for Polissya, and for historical lands."

Microsoft intelligence named this activity "DEV-0586" and identified it as destructive malware that used to be ransomware. Its main purpose is to disrupt the system and damage files beyond the possibility of their recovery.

Technical Details

Deface of the government websites

Two types of deface attacks have been discovered by CERT-UA:

  • Complete replacement of the main page (index.php)
  • Injection of a malicious script to the website that replaces its content

The supposed attack vectors are:

  • supply chain attack
  • the exploitation of OctoberCMS and/or Log4j vulnerabilities
The traces of the commands executed by the attackers are shown below:

.bash_history (source: https://cert.gov.ua/article/18101)

MBR Writer (stage1.exe)

The threat actor uses Impacket tools collection to lateral movement and malware execution. The first file ‘stage1.exe’ is a PE64 executable written in C++ and compiled with the MinGW compiler.  This file can be placed in different directories, for example, C:\PerfLogs, C:\ProgramData, C:\, C:\temp. At the beginning of execution, malware obtains access to the ‘\\\\.\\PhysicalDrive0’, which contains the Master Boot Record (MBR). Then it writes the hardcoded ransom note to the MBR area as well as to every 199th sector of the disk. Since it was changed, after rebooting the system won’t be started, instead, the ransom note will be displayed.

The hardcoded ransom note:

Your hard drive has been corrupted.

In case you want to recover all hard drives

of your organization,

You should pay us $10k via bitcoin wallet

1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via

tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65

with your organization name.

We will contact you to give further instructions.

Obtaining access to the MBR and rewriting it 

This behavior isn’t typically used by ransomware whose main purpose is to encrypt files and demand a ransom to decrypt them, usually saving the system workability. In this case, malware changes the MBR, which causes the system not to start. This means that the ransom note is a fake and the main purpose of the malware is to disrupt systems operability.

The traces of stage1.exe execution discovered by CERT-UA are shown below:

stage1.exe execution (source: https://cert.gov.ua/article/18101)

 Trojan-Downloader (stage2.exe)

The second file ‘stage2.exe’ is a .NET application, which contains a Microsoft Windows signature supposedly taken from the Russian version of Windows Explorer according to the properties in File Details. Also, this file is obfuscated with Ezfuscator.


It’s used to download the File Corrupter and contains a hardcoded Discord link:

Download data from the hardcoded link

This file also contains a command, encoded in Base64 format: ‘UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==’, which will be given to the PowerShell with the ‘-enc’ parameter. This means that the PowerShell script will decode this string before execution. The decoded command is ‘Start-Sleep -s 10’. This command is used to suspend the activity for the specified period and used for the C2 server connection.


Executing the encoded PowerShell command

File Corrupter (Tbopbh.jpg / Frkmlkdkdubkznbkmcf.dll)

Downloaded Tbopbh.jpg file is a picture, which will be decoded to the Frkmlkdkdubkznbkmcf.dll (SHA256:923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6). This file is a .NET library and contains 3 resources:



Frkmlkdkdubkznbkmcf.dll loads resource ‘78c855a088924e92a7f60d661c3d1845’ and calls the decryption function.


Resource loading


The decryption function will decode this resource using the XOR operation. 

Decoding resource


During execution, the decoded resource drops two additional files in the %Temp% folder. The first file is ‘AdvansedRun.exe’ which will disable Windows Defender by executing the second file ‘Nmddfrqqrbyjeygggda.vbs’. This script contains a command that excludes the ‘C:\’ folder from Windows Defender scanning:

CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath 'C:\'", 0, False

Next, the malware drops ‘InstallUtil.exe’ to the ‘%Temp’ folder and executes it. This program is the Microsoft utility for installing server resources and has a valid digital signature.


InstallUtil.exe properties


During execution, this program writes 22.53GB of bytes on the disk. The original program doesn’t contain any suspicious code, so we can suppose that the WhisperGate injects malicious code in this process for file corruption.



The File Wiper corrupts the files with the following file extensions:

.HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG

If the file extension matches one of these saved extensions, the contents of the file will be rewritten with 100000h (1048576 bytes) of the ‘0xC’ byte with appending a random 4-byte to its extension.




After the process of file corrupting is done, the malware executes ping command and deletes itself:

"cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q "%s"

Obfuscation


All .NET files are obfuscated with Ezfuscator. Also, file ‘stage2.exe’ has a control flow and methods' name obfuscation.

Ransom note


The ransom note is written to the MBR (the very beginning of the bootable disk partition) and will be displayed on the screen when the system is rebooted.



Conclusion


The WhisperGate was used in the targeted attack against Ukrainian government websites in the middle of January 2022. This operation consists of two stages. At the first stage, the malware overwrites the MBR with the ransom note making the system not bootable and displaying the message with the ransom. At another one, the Trojan-Downloader downloads the malware that corrupts files overwriting its contents with a fixed number of bytes. Despite the fact that the malware broke the functionality and all the websites stopped working, they have been restored the next day.


Watch the recording of the lecture with WhisperGate analysis



IoCs 

Files


File name

SHA256

stage1.exe

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

stage2.exe

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

Tbopbh.jpg

923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6

Frkmlkdkdubkznbkmcf.dll

9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d

AdvancedRun.exe

29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B

Nmddfrqqrbyjeygggda.vbs

DB5A204A34969F60FE4A653F51D64EEE024DBF018EDEA334E8B3DF780EDA846F

InstallUtil.exe

ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3


Network indicators


Type

Data

URL 

https[:]//cdn[.]discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg


MITRE attack techniques




References

  1. Lecture recording https://www.youtube.com/watch?v=XxN4cINiLqA

  2. https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

  3. https://www.bleepingcomputer.com/news/security/microsoft-fake-ransomware-targets-ukraine-in-data-wiping-attacks/ 

  4. https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3

  5. https://cert.gov.ua/article/18101  





No comments:

Post a Comment