The malware used to strike Ukrainian government websites has similarities to the NotPetya wiper but has more capabilities "designed to inflict additional damage," researchers say.
Dubbed WhisperGate, the malware is a wiper that was used in cyberattacks against website domains owned by the country's government. The spate of attacks led to the defacement of at least 70 websites and a further 10 subject to "unauthorized interference," according to the Security Service of Ukraine, State Special Service and Cyber Police.
The wave of attacks was made public on January 14. Websites impacted included the Ukrainian Foreign Ministry, the Ministry of Education and Science, and various state services.
The defacement and reported compromise of at least two government systems come at a time when there appears to be a growing threat of invasion by Russia into Ukraine, despite the country denying any such plans. The UK has recently pulled a number of UK embassy staff out of Kyiv in response.
Microsoft has published an analysis of WhisperGate, which was discovered on January 13. In a follow-up, Cisco Talos said it was likely that stolen credentials provided the access point for the deployment of the wiper.
Cisco Talos says that two wipers are used in WhisperGate attacks. The first wiper attempts to destroy the master boot record (MBR) and to eradicate any recovery options.
"Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten," the researchers say.
However, with many modern systems now moving to GUID Partition Tables (GPTs), this executable may not be successful, so an additional wipe has been included in the attack chain.
In the second stage, a downloader pulls the code required for the third step. After a base64-encoded PowerShell command is executed twice and an endpoint is requested to enter sleep mode for 20 seconds. A Discord server URL, hardcoded into the downloader, is then pinged to grab a .DLL file.
The .DLL, written in C#, is obfuscated with the Eazfuscator, a .NET platform obfuscator and optimizer. The .DLL is a dropper that deploys and executes the main wiper payload through a VBScript. In addition, Windows Defender settings are tampered with to exclude the target drive from scans.
"The fourth-stage wiper payload is probably a contingency plan if the first-stage wiper fails to clear the endpoint," Cisco Talos says.
The wiper seeks out fixed and remote logical drives to target in the fourth stage. Enumeration then occurs, and files are wiped in drives outside of the "%HOMEDRIVE%\Windows" directory. Files with one of 192 extensions, including .HTML, .PPT, .JPG, .RAR, .SQL, and .KEY is destroyed.
"The wiper will overwrite the content of each file with 1MB worth of 0xCC bytes and rename them by appending each filename with a random four-byte extension," Talos says. "After the wiping process completes, it performs a delayed command execution using Ping to delete "InstallerUtil.exe" from the %TEMP% directory. Finally, it attempts to flush all file buffers to disk and stop all running processes (including itself) by calling ExitWindowsEx Windows API with EWX_SHUTDOWN flag."
Following the cyberattack, the European Union said it was mobilizing "all its resources" to assist Ukraine, NATO has pledged its support, and US President Biden has warned Russia of a cyber 'response' if Ukraine continues to be targeted.
CISA has recommended (.PDF) that organizations in general, as well as those linked to Ukraine, implement multi-factor authentication for remote systems, disable ports and access points that are not business-critical, and that strong controls be implemented for cloud services to mitigate the risk of compromise.
"We assess with medium confidence that stolen credentials were used in the attack based on our investigation thus far," Cisco Talos says. "We have high confidence that the actors had access to some victim networks in advance of the attacks, potentially for a few months or longer. This is a common trait of sophisticated APT attacks."
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0