Researchers Peek into the Deadly WhisperGate Wiper

A deeper look into WhisperGate

• Just like the NotPetya wiper, which once masqueraded as a ransomware in its earlier campaigns, WhisperGate also presented itself as a ransomware. It fully overwrites the MBR with a ransom note.
• In addition, this malware further attempts to destroy the C:\ partition, overwriting it with some garbage data. This additional action of wiping disk partitions is usually not seen in wiper malware like NotPetya.
• Moreover, as many of the latest systems are now adopting the new GUID Partition Tables (GPTs), this executable may not be successful. Therefore, this malware uses additional steps and payloads for further destruction.

What happens in the additional stages?

• A Discord server URL, hardcoded into the downloader, is then pinged to grab a ‘.DLL’ file obfuscated with the Eazfuscator. This deploys and runs the main wiper payload via VBScript.
• Additionally, Windows Defender settings are modified to avoid the targeted drive from scans. 
• In case the first-stage wiper fails to avoid the endpoint, the attackers had prepared a fourth-stage wiper payload as a backup plan. In the fourth stage, the wiper looks for fixed and remote logical drives to target.

Additional attack characteristics

• The wiper overwrites each file with 1MB worth of 0xCC bytes and renames it with a random four-byte extension.
• Files with certain extensions out of 192 extensions, such as .KEY, .PPT, .RAR, and .HTML are destroyed. 
• After the wiping process, it uses Ping to perform delayed command execution for deleting InstallerUtil[.]exe.
• At last, the wiper tries to flush all file buffers to disk and terminate all running processes, as well as itself, by calling ExitWindowsEx Windows API with the EWX_SHUTDOWN flag.

Conclusion