Executive Summary
- 2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with “WhisperGate” overwrites Master Boot Record(MBR) and files.
An actor who conducted this attack tracked as DEV-0586 and has not yet been attributed to existing groups
- It was confirmed that the actor uses a tool “Impacket” to perform
lateral movement
andmalware execution
.
Known working paths: C:\PerfLogs, C:\ProgramData, C:\, C:\temp
- The flow consisting of a total of three stages revealed so far is as follows.
Stage1: Overwrites the MBR and destroy all partitionsStage2: Downloads Stage3 through the discord linkStage3: Executes file wiper & AdvancedRun.exe after decoding resources
- The malware sets used in this attack not only overwrites the MBR and create a ransom note but also overwrites files without any backups, so it seems that the purpose is data destruction, not financial gain.
- As additional samples such as Stage3 are being shared among analysts on Twitter in addition to the two samples currently released by MSTIC, the IoC, and analysis reports will be continuously updated.
Detailed Analysis
Stage1
- SHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
- Creation Time: 2022–01–10 10:37:18
- First Submission: 2022–01–16 20:30:19
- File Type: Win32 EXE
Stage1 directly accesses the MBR(Master Boot Record) and overwrites with the 0x200 size data that is hard-coded inside. After that, when the PC is rebooted, the overwritten code is executed, and the code traverses all drives on the disk and overwrites it with specific data at intervals of 199 LBAs.
The overwritten code reads the ransom note string inside the MBR and sets it to appear on the display.
After that, it traverses from the C drive and attempts to destroy it by overwriting it with fixed data as Extended Write mode.
Disk Address Packet(DAP) structure initialized when malicious code writes to disk
- (0x7C72) (offset 0 size 1) : size of packet (16 bytes)
- (0x7C73) (offset 1 size 1) : Reserved (always 0)
- (0x7C74) (offset 2 size 2) : number of sectors to transfer
- (0x7C76) (offset 4 size 4) : transfer buffer (segment:offset)
- (0x7C7A) (offset 8 size 4) : lower 32-bits of 48-bit starting LBA
- (0x7C7E) (offset 12 size 4) : upper 16-bits of 48-bit starting LBA
Write starts from LBA#1 of disk
- When disk access is successful, LBA is increased by 0xC7 (199) and written
- When disk access fails, increase the Drive Index and try to access the next disk
Stage2
- SHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
- Creation Time: 2022–01–10 14:39:54
- First Submission: 2022–01–16 20:31:26
- File Type: Win32 EXE
Stage2 does not perform malicious actions for 20 seconds to bypass the AV (Anti Virus). To do this, run the following command twice.
Command: powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
—> Start-Sleep -s 10
Then, it downloads an additional file disguised as a JPG extension from the discord link. The downloaded file is reversed and takes the form of PE, and executes “Ylfwdwgmpilzyaph” method in the file in the memory.
- URL: https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg
Stage3 (Tbopbh.jpg)
- SHA256 : 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6
Tbopbh.jpg (Reversed)
- SHA256 : 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
- Creation Time: 2022–01–10 14:39:31
- First Submission: 2022–01–16 21:29:58
- File Type: Win32 DLL
The downloaded Stage3 is written in C# as in Stage2, and an obfuscation tool called Eazfuscator is detected by exeinfoPE.
There are 3 resources inside Stage3, and except for the resource “78c855a088924e92a7f60d661c3d1845”, the use of the remaining 2 resources has not yet been confirmed, and the contents will be updated later.
Stage3 loads “78c855a088924e92a7f60d661c3d1845” resource inside and performs decoding by XOR operation.
Next, the decoded data is a DLL file and contains two additional resources. The two resources “AdvancedRun” and “Waqybg”, are extracted by Stage3, and decompressed with GZIP.
- AdvancedRun (GZIP Decompressed)
- Waqybg (Reversed and GZIP Decompressed)
- AdvancedRun: Stop Windows Defender service
- Execute “%Temp%Nmddfrqqrbyjeygggda.vbs” to specify “C:\” as the exception folder
Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Set-MpPreference -ExclusionPath ‘C:\’
- Stop Windows Defender service through AdvancedRun.exe and delete “C:\ProgramData\Microsoft\Windows Defender” directory
Command: “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\sc.exe” /WindowState 0 /CommandLine “stop WinDefend” /StartDirectory “” /RunAs 8 /Run
Command: “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:\ProgramData\Microsoft\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run
2. Waqybg: Overwrites target files
- Overwrites the 0x100000(1MB) of the file with 0xCC
- Extension: Random number
- Target file extensions (106)
.HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG
- Executes ping command and delete itself
cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”[Filepath]\”
Appendix
Ransom Note
Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.
Related IoCs
- a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (Stage1)
- dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (Stage2)
- 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (Stage3, Tbopbh.jpg)
- 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d (Stage3, Reversed Tbopbh.jpg )
- 35FEEFE6BD2B982CB1A5D4C1D094E8665C51752D0A6F7E3CAE546D770C280F3A (Decoded Resource “78c855a088924e92a7f60d661c3d1845”)
- 29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B(AdvancedRun.exe)
- DB5A204A34969F60FE4A653F51D64EEE024DBF018EDEA334E8B3DF780EDA846F (Nmddfrqqrbyjeygggda.vbs)
- 34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907 (File Wiper)
- URL: https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg
Reference
- Homepage: https://s2w.inc/
- Facebook: https://www.facebook.com/S2WLAB/
- Twitter: https://twitter.com/S2W_Official