TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine
On January 15, 2021, Microsoft Threat Intelligence Center (MSTIC) published a blog post stating that nation-state threat group DEV-0586 has been conducting destructive malware operations on Ukrainian organizations. In this blog, we share information about the simulation and mitigation of these malware attacks to help the cybersecurity community.
WhisperGate Wiper Malware
WhisperGate is a two-stage wiper malware that misrepresents itself as ransomware. The initial access stage for the malware is unknown at the moment. However, it is suspected to be a supply chain attack [1].
In its first stage, WhisperGate malware overwrites Master Boot Records (MBR) with a fake ransom note. Since the MBR is overwritten, it is not possible to recover it. Therefore, the ransom note is a misdirection, paying the ransom would not help recover lost data. After the first stage of the malware overwrites the MBR, powering down the infected system effectively bricks the system making it unable to boot up.
In its second stage, WhisperGate malware corrupts files with certain extensions and in certain directories by overwriting them with 0xCC bytes. After overwriting and corrupting files, the malware renames the files with a random four-byte extension.
Validate your Security Controls Against WhisperGate Malware Now
TTPs Used by DEV-0586 APT Group in WhisperGate Campaign
DEV-0586 hacking group uses the following tactics, techniques, and procedures (TTPs) in their WhisperGate wiper malware campaign:
Tactic: Execution
MITRE ATT&CK T1059.003 Command and Scripting Interpreter: Windows Command Shell
The first stage of WhisperGate malware uses the following Windows Command Shell command to execute the destructive malware:
cmd.exe /Q /c start c:\stage1.exe 1> \\127.0.0.1\ADMIN$\__[TIMESTAMP] 2>&1 |
MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell
The second stage of WhisperGate malware uses PowerShell commands to connect its Command and Control (C2) server and download additional payloads [2].
powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== |
The -enc parameter is used in this PowerShell command. However, there is not a parameter named -enc according to the official PowerShell documentation. In fact, the -enc parameter is completed by PowerShell as the -EncodedCommand parameter because of the parameter substring completion feature of PowerShell.
-EncodedCommand accepts a base-64-encoded string version of a command. Therefore, we must use base64 decoding to reveal the following PowerShell command:
Start-Sleep -s 10 |
Base64 Encoded |
Decoded |
UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA== |
Start-Sleep -s 10 |
Tactic: Defense Evasion & Persistence
MITRE ATT&CK T1542.003 Pre-OS Boot: Bootkit
The first stage of WhisperGate modifies the Master Boot Record (MBR). Since the altered MBR is the first section of the disk after completing hardware initialization by the BIOS, the malware evades defense.
MITRE ATT&CK T1027 Obfuscated Files or Information
The second stage of WhisperGate malware delivers PowerShell commands in Base64
Tactic: Discovery
MITRE ATT&CK T1083 File and Directory Discovery
The second stage of WhisperGate searches for specific file extensions in certain directories to alter their content.
Tactic: Command and Control
MITRE ATT&CK T1105 Ingress Tool Transfer
The second stage of WhisperGate download file corruptor payload from Discord channel hosted by the APT group. The download link for the malicious executable is hardcoded in the stage2.exe.
Tactic: Impact
MITRE ATT&CK T1561 Disk Wipe
The first stage of WhisperGate overwrites the Master Boot Record for impact. When the MBR is overwritten, the infected system does not boot up after power down.
The second stage of WhisperGate overwrites files and adversely affects their integrity. Also, the malware renames the files to further its impact.
WhisperGate Attack Simulations with Picus
Picus Continuous Security Validation Platform tests your security controls against WhisperGate malware variants and suggests related prevention methods.
Picus Labs advises you to simulate these malware families and determine the effectiveness of your security controls against them. Picus Threat Library consists of eight attack simulations for WhisperGate MBR Wiper malware of DEV-0586 APT group.
Threat Name |
WhisperGate MBR Wiper Malware used by DEV-0586 Threat Group .EXE File Download (1 Variant |
WhisperGate MBR Wiper Downloader used by DEV-0586 Threat Group .EXE File Download (2 Variants) |
WhisperGate MBR Wiper Malware used by DEV-0586 Threat Group .DLL File Download (5 Variants) |
Validate your Security Controls Against WhisperGate Malware
Indicators of Compromises
SHA-256 |
MD5 |
SHA-1 |
9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d |
e61518ae9454a563b8f842286bbdb87b |
82d29b52e35e7938e7ee610c04ea9daaf5e08e90 |
00bc665d96ecadc6beb2a9384773a70391f08f8e7a2876253f32ceec793eb728 |
ba45247858c0739865a52996768b7485 |
aff0b6eab23bbf4e5cb94fd4292c6d961dee060e |
9cdaacaba35c3a473ec5b652d035a9593ee822609e79662223869e2b7298dc0a |
ee47d6ae8414f6c6ca28a3b76bf75e44 |
a983bd69a71322d64199e67f2abcfe5ef0e1bca7 |
bbe1949ffd9188f5ad316c6f07ef4ec18ba00e375c0e6c2a6d348a2a0ab1e423 |
db600240aecf9c6d75c733de57f252bf |
8756712e2c73ee3f92ded3852e41a486be3de6e2 |
ff3b45ecfbbdb780b48b4c829d2b6078d8f7673d823bedbd6321699770fa3f84 |
6f93fd91f17130aabd5251e7bae3eeaa |
2af6e61d203191b4b8df982f37048937a1f9696c |
35ab54a9502e975c996cbaee3d6a690da753b4af28808d3be2054f8a58e5c7c5 |
56af47c87029b9fba5fe7c81e99cedca |
ea65565404ffde218ebccaeaca00ac1a2937dc57 |
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 |
14c8482f302b5e81e3fa1b18a509289d |
16525cb2fd86dce842107eb1ba6174b23f188537 |
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 |
5d5c99a08a7d927346ca2dafa7973fc1 |
189166d382c73c242ba45889d57980548d4ba37e |
References
[1] F. Bajak, “Microsoft discloses malware attack on Ukraine govt networks,” Associated Press, 16-Jan-2022. [Online]. Available: https://apnews.com/article/technology-business-europe-russia-ukraine-404c5e751709fba66b31fd512f734d80.
[2] Joe Security LLC, “Automated Malware Analysis Report for stage2.exe – Generated by Joe Sandbox,” Joe Security LLC. [Online]. Available: https://www.joesandbox.com/analysis/553986/0/html. [Accessed: 17-Jan-2022]
*** This is a Security Bloggers Network syndicated blog from Resources authored by Hüseyin Can YÜCEEL. Read the original post at: https://www.picussecurity.com/resource/blog/dev-0586-apt-group-in-whispergate-attack-targeting-ukraine