Summary of the attack
Name: WhisperGate
Discovered in January 2022
Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022
Overwrites the contents of files with the fixed number of bytes
Rewrites MBR, corrupts victims’ files, downloads and drops its own files
Corrupted files have a random 4-byte extension
Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures
The third stage is .NET DLL, which is downloaded at runtime
Introduction
On January 13, 2022, multiple government sites in Ukraine were shut down due to a large-scale cyberattack by WhisperGate malware. In particular, the websites of the Cabinet of Ministers, the Ministry of Foreign Affairs, the Ministry of Sports, the Ministry of Energy, the Ministry of Agrarian Policy, the Ministry of Veterans Affairs, the website of the State Treasury, and state services website Diya stopped working. All users received a note with the following warning:
"Ukrainian! All your personal data has been uploaded to the public network. All data on the computer is destroyed, it is impossible to recover them. All information about you has become public, be afraid and expect the worst. This is for your past, present and future. For Volyn, for the OUN UPA, for Galicia, for Polissya, and for historical lands."
Microsoft intelligence named this activity "DEV-0586" and identified it as destructive malware that used to be ransomware. Its main purpose is to disrupt the system and damage files beyond the possibility of their recovery.
Technical Details
Deface of the government websites
Two types of deface attacks have been discovered by CERT-UA:
- Complete replacement of the main page (index.php)
- Injection of a malicious script to the website that replaces its content
The supposed attack vectors are:
- supply chain attack
- the exploitation of OctoberCMS and/or Log4j vulnerabilities
MBR Writer (stage1.exe)
The threat actor uses Impacket tools collection to lateral movement and malware execution. The first file ‘stage1.exe’ is a PE64 executable written in C++ and compiled with the MinGW compiler. This file can be placed in different directories, for example, C:\PerfLogs, C:\ProgramData, C:\, C:\temp. At the beginning of execution, malware obtains access to the ‘\\\\.\\PhysicalDrive0’, which contains the Master Boot Record (MBR). Then it writes the hardcoded ransom note to the MBR area as well as to every 199th sector of the disk. Since it was changed, after rebooting the system won’t be started, instead, the ransom note will be displayed.
The hardcoded ransom note:
Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.
This behavior isn’t typically used by ransomware whose main purpose is to encrypt files and demand a ransom to decrypt them, usually saving the system workability. In this case, malware changes the MBR, which causes the system not to start. This means that the ransom note is a fake and the main purpose of the malware is to disrupt systems operability.
The traces of stage1.exe execution discovered by CERT-UA are shown below:
Trojan-Downloader (stage2.exe)
The second file ‘stage2.exe’ is a .NET application, which contains a Microsoft Windows signature supposedly taken from the Russian version of Windows Explorer according to the properties in File Details. Also, this file is obfuscated with Ezfuscator.
It’s used to download the File Corrupter and contains a hardcoded Discord link:
Download data from the hardcoded link
This file also contains a command, encoded in Base64 format: ‘UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==’, which will be given to the PowerShell with the ‘-enc’ parameter. This means that the PowerShell script will decode this string before execution. The decoded command is ‘Start-Sleep -s 10’. This command is used to suspend the activity for the specified period and used for the C2 server connection.
Executing the encoded PowerShell command
File Corrupter (Tbopbh.jpg / Frkmlkdkdubkznbkmcf.dll)
Downloaded Tbopbh.jpg file is a picture, which will be decoded to the Frkmlkdkdubkznbkmcf.dll (SHA256:923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6). This file is a .NET library and contains 3 resources:
Frkmlkdkdubkznbkmcf.dll loads resource ‘78c855a088924e92a7f60d661c3d1845’ and calls the decryption function.
Resource loading
The decryption function will decode this resource using the XOR operation.
Decoding resource
During execution, the decoded resource drops two additional files in the %Temp% folder. The first file is ‘AdvansedRun.exe’ which will disable Windows Defender by executing the second file ‘Nmddfrqqrbyjeygggda.vbs’. This script contains a command that excludes the ‘C:\’ folder from Windows Defender scanning:
CreateObject("WScript.Shell").Run "powershell Set-MpPreference -ExclusionPath 'C:\'", 0, False
Next, the malware drops ‘InstallUtil.exe’ to the ‘%Temp’ folder and executes it. This program is the Microsoft utility for installing server resources and has a valid digital signature.
InstallUtil.exe properties
During execution, this program writes 22.53GB of bytes on the disk. The original program doesn’t contain any suspicious code, so we can suppose that the WhisperGate injects malicious code in this process for file corruption.
The File Wiper corrupts the files with the following file extensions:
.HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG
If the file extension matches one of these saved extensions, the contents of the file will be rewritten with 100000h (1048576 bytes) of the ‘0xC’ byte with appending a random 4-byte to its extension.
After the process of file corrupting is done, the malware executes ping command and deletes itself:
"cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q "%s"
Obfuscation
All .NET files are obfuscated with Ezfuscator. Also, file ‘stage2.exe’ has a control flow and methods' name obfuscation.
Ransom note
The ransom note is written to the MBR (the very beginning of the bootable disk partition) and will be displayed on the screen when the system is rebooted.
Conclusion
The WhisperGate was used in the targeted attack against Ukrainian government websites in the middle of January 2022. This operation consists of two stages. At the first stage, the malware overwrites the MBR with the ransom note making the system not bootable and displaying the message with the ransom. At another one, the Trojan-Downloader downloads the malware that corrupts files overwriting its contents with a fixed number of bytes. Despite the fact that the malware broke the functionality and all the websites stopped working, they have been restored the next day.
Watch the recording of the lecture with WhisperGate analysis
IoCs
Files
Network indicators
MITRE attack techniques
References
Lecture recording https://www.youtube.com/watch?v=XxN4cINiLqA
No comments:
Post a Comment