Category: Malware
TLP Level: TLP:WHITE
Severity: High
Published: True

Campaign Active: 2022-01-15
Campaign Identified: 2022-01-16
Campaign Updated: 2022-01-16

Campaign Details:

Microsoft published a report describing a malware campaign given the name “WhisperGate” that is targeting Ukrainian systems including government agencies and technology organizations. This malware takes destructive actions on the host in order to render the victim inoperable under the guise of a ransomware infection. This malware campaign has two stages associated with it. The first stage will overwrite the Master Boot Record (MBR) with a fraudulent ransom note containing instructions on how to recover data. Stage 1 will execute when the victim device is powering down. The second stage leverages the legitimate service, Discord, in order to download an additional payload which corrupts files with extensions that are included in the list identified by Microsoft [Source 1].

Detections:

  • Indicators of compromise (IoCs) related to this campaign have been added to campaign have been added to the ReliaQuest Emergency Feed. The following ReliaQuest Detect use-cases and MITRE techniques apply to this threat.

Mitigations:

  • Assess the feasibility of blocking the domain “discord[.]com” and/or ”cdn.discordapp[.]com”, given that this threat and many others leverage legitimate Discord infrastructure to distribute and share malicious files.
  • Add the identified file hash IoCs to the blocklist in your AV/EDR solution, if the SHA-256 format is accepted. Microsoft stated in their blog that multiple victims saw the same payloads, suggesting that the threat actor is re-using the same binaries without tailoring them to the victim. As of January 16th, 2022, the malware samples have not been made public, so it is not yet possible to obtain the corresponding MD5 or SHA-1 hashes.

While this threat isn’t a legitimate ransomware operation, many of the following recommendations for ransomware still apply:

    • Regularly monitor and audit external facing services and assets for accidental exposure and out-of-date services. Remove any accidental exposure and patch any outof-date services, with priority on services that have known vulnerabilities. Threat Actors will frequently scan the internet for public-facing assets that have an exploitable vulnerability and gain initial access via this method.a
    • Implement phishing training and deploy e-mail security technologies to mitigate the risk of malicious e-mail documents. Threat actor groups often conduct phishing campaigns with malicious documents in order to gain an initial foothold.
    • Ensure comprehensive coverage of Anti-Virus/Endpoint Detection and Response tools within your environment in order to provide as much visibility as possible into exploit/threat activity. Additionally, many ReliaQuest Detect use-cases require endpoint logging/visibility in order to be pushed to production.
    • Maintain regular backups of all critical systems/information. Maintain offline backups as well to increase resilience.
    • Enforce complex passwords and Multi-Factor Authentication across all aspects of the environment (including third-party accounts).

Sources:
[1] https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
[2] https://therecord.media/microsoft-data-wiping-malware-disguised-as-ransomware-targets-ukraine-again/

MITRE Techniques:

Technique ID:
Technique Name:
T1485
Data Destruction
T1561.002
Disk Structure Wipe

 

ReliaQuest Intel IOCs:

IOC Type:
IOC:
Hash
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
Hash
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Signature
DoS:Win32/WhisperGate.A!dha
Signature
DoS:Win32/WhisperGate.C!.dha
Signature
DoS:Win32/WhisperGate.H!dha
Signature
DoS:Win32/WhisperGate.X!dha

 

If you have any questions or would like to learn more about how to address this malware, please reach out to your ReliaQuest representative.