Analysis of Destructive Malware (WhisperGate) targeting Ukraine

BLKSMTH | S2W TALON

Photo by Kristina Flour on Unsplash

Executive Summary

• 2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with “WhisperGate” overwrites Master Boot Record(MBR) and files.

An actor who conducted this attack tracked as DEV-0586 and has not yet been attributed to existing groups

• It was confirmed that the actor uses a tool “Impacket” to perform lateral movement and malware execution.

Known working paths: C:\PerfLogs, C:\ProgramData, C:\, C:\temp

• The flow consisting of a total of three stages revealed so far is as follows.

Stage1: Overwrites the MBR and destroy all partitions
Stage2: Downloads Stage3 through the discord link
Stage3: Executes file wiper & AdvancedRun.exe after decoding resources

Flow chart

• The malware sets used in this attack not only overwrites the MBR and create a ransom note but also overwrites files without any backups, so it seems that the purpose is data destruction, not financial gain.
• As additional samples such as Stage3 are being shared among analysts on Twitter in addition to the two samples currently released by MSTIC, the IoC, and analysis reports will be continuously updated.

Detailed Analysis

Stage1

• SHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92
• Creation Time: 2022–01–10 10:37:18
• First Submission: 2022–01–16 20:30:19
• File Type: Win32 EXE

Stage1 directly accesses the MBR(Master Boot Record) and overwrites with the 0x200 size data that is hard-coded inside. After that, when the PC is rebooted, the overwritten code is executed, and the code traverses all drives on the disk and overwrites it with specific data at intervals of 199 LBAs.

Overwrites MBR

The overwritten code reads the ransom note string inside the MBR and sets it to appear on the display.

Writes ransom note on the display

After that, it traverses from the C drive and attempts to destroy it by overwriting it with fixed data as Extended Write mode.

Drives wiper code

Disk Address Packet(DAP) structure initialized when malicious code writes to disk

• (0x7C72) (offset 0 size 1) : size of packet (16 bytes)
• (0x7C73) (offset 1 size 1) : Reserved (always 0)
• (0x7C74) (offset 2 size 2) : number of sectors to transfer
• (0x7C76) (offset 4 size 4) : transfer buffer (segment:offset)
• (0x7C7A) (offset 8 size 4) : lower 32-bits of 48-bit starting LBA
• (0x7C7E) (offset 12 size 4) : upper 16-bits of 48-bit starting LBA

Write starts from LBA#1 of disk

• When disk access is successful, LBA is increased by 0xC7 (199) and written
• When disk access fails, increase the Drive Index and try to access the next disk

Overwritten drives

Stage2

• SHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
• Creation Time: 2022–01–10 14:39:54
• First Submission: 2022–01–16 20:31:26
• File Type: Win32 EXE

Stage2 does not perform malicious actions for 20 seconds to bypass the AV (Anti Virus). To do this, run the following command twice.

Command: powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==
—> Start-Sleep -s 10

Then, it downloads an additional file disguised as a JPG extension from the discord link. The downloaded file is reversed and takes the form of PE, and executes “Ylfwdwgmpilzyaph” method in the file in the memory.

Stage3 payload downloaded via Discord link

• URL: https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg

Stage3 (Tbopbh.jpg)

• SHA256 : 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6

Tbopbh.jpg (Reversed)

• SHA256 : 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d
• Creation Time: 2022–01–10 14:39:31
• First Submission: 2022–01–16 21:29:58
• File Type: Win32 DLL

The downloaded Stage3 is written in C# as in Stage2, and an obfuscation tool called Eazfuscator is detected by exeinfoPE.

Detected Eazfuscator

There are 3 resources inside Stage3, and except for the resource “78c855a088924e92a7f60d661c3d1845‎”, the use of the remaining 2 resources has not yet been confirmed, and the contents will be updated later.

3 resources inside Stage3

Stage3 loads “78c855a088924e92a7f60d661c3d1845‎” resource inside and performs decoding by XOR operation.

XOR decoding code

Next, the decoded data is a DLL file and contains two additional resources. The two resources “AdvancedRun” and “Waqybg”, are extracted by Stage3, and decompressed with GZIP.

• AdvancedRun (GZIP Decompressed)
• Waqybg (Reversed and GZIP Decompressed)

2 resources in the decoded resource

1. AdvancedRun: Stop Windows Defender service

• Execute “%Temp%Nmddfrqqrbyjeygggda.vbs” to specify “C:\” as the exception folder

Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Set-MpPreference -ExclusionPath ‘C:\’

• Stop Windows Defender service through AdvancedRun.exe and delete “C:\ProgramData\Microsoft\Windows Defender” directory

Command: “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\sc.exe” /WindowState 0 /CommandLine “stop WinDefend” /StartDirectory “” /RunAs 8 /Run

Command: “C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe” /EXEFilename “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” /WindowState 0 /CommandLine “rmdir ‘C:\ProgramData\Microsoft\Windows Defender’ -Recurse” /StartDirectory “” /RunAs 8 /Run

2. Waqybg: Overwrites target files

• Overwrites the 0x100000(1MB) of the file with 0xCC
• Extension: Random number

Overwrites files

• Target file extensions (106)

.HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG

• Executes ping command and delete itself

cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”[Filepath]\”

Appendix

Ransom Note

Your hard drive has been corrupted.
In case you want to recover all hard drives
of your organization,
You should pay us $10k via bitcoin wallet
1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via
tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65
with your organization name.
We will contact you to give further instructions.

Related IoCs

• a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (Stage1)
• dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (Stage2)
• 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (Stage3, Tbopbh.jpg)
• 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d (Stage3, Reversed Tbopbh.jpg )
• 35FEEFE6BD2B982CB1A5D4C1D094E8665C51752D0A6F7E3CAE546D770C280F3A (Decoded Resource “78c855a088924e92a7f60d661c3d1845‎”)
• 29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B(AdvancedRun.exe)
• DB5A204A34969F60FE4A653F51D64EEE024DBF018EDEA334E8B3DF780EDA846F (Nmddfrqqrbyjeygggda.vbs)
• 34CA75A8C190F20B8A7596AFEB255F2228CB2467BD210B2637965B61AC7EA907 (File Wiper)
• URL: https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg

Reference

• https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

• Homepage: https://s2w.inc/
• Facebook: https://www.facebook.com/S2WLAB/
• Twitter: https://twitter.com/S2W_Official