# Threat Thursday: WhisperGate Wiper Targets Government, Non- profit, and IT Organizations in Ukraine **[blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper](https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper)** The BlackBerry Research & Intelligence Team Earlier this month, a potent wiper named WhisperGate targeted government, non-profit, and IT organizations in Ukraine with what initially appeared to be ransomware. The threat was in fact a destructive wiper malware, carried out as a multi-stage attack. Thus far, it has been seen targeting devices running the Windows operating system; however, the Ukrainian government reported that there might also be a Linux variant of the malware lurking out there too. WhisperGate runs as a multi-stage attack, beginning by overwriting the Master Boot Record (MBR) and displaying a fake ransom note. The second and third stages involve retrieving the payload from a malicious discord link. The final stage executes a file corruptor against target file types, irrecoverably destroying data. No encryption has been observed during any of the attack stages. The malware does not appear to have been created for financial gain. Thus far, the sole purpose of WhisperGate seems to be the destruction of data, making it most likely that a threat group is using this malware to disrupt or disable target organizations. Given the escalating geopolitical events in Ukraine and its surrounding regions, BlackBerry strongly encourages organizations with an elevated risk profile to use the information in this blog to proactively defend against any malicious activity from this group. ----- ### Operating System Risk & Impact Technical Analysis **Stage 1 – MBR Wiper** The initial stage of this attack involves the malware gaining access to, then overwriting, the Master Boot Record (MBR) to display a fake ransom note the next time the system is booted. The MBR is used to identify how and where an operating system is located so that it can be loaded correctly. Modification of the MBR can result in the system becoming inoperable. According to [Microsoft's initial report, the threat actor uses the Python tool](https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/) [Impacket to perform lateral](https://github.com/SecureAuthCorp/impacket#:~:text=README.md-,What%20is%20Impacket%3F,MSRPC)%20the%20protocol%20implementation%20itself.) movement and execute the malware. This is done using the following command. _“cmd.exe /Q /c start c:\stage1exe 1> \\127.0.0.1\ADMIN$\_[TIMESTAMP] 2>&1” ._ **SHA256: a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92** The initial file used by attackers is a Win32 binary called “stage1.exe.” When launched with administrative privileges, the malware will load an 8192-byte buffer onto the stack. The process will retrieve a handle to the MBR by calling the “CreateFileW” function, as seen in the image below. ----- _Figure 1 - Buffer and handle being created and written to disk_ The malware will then overwrite the MBR with this handle that contains the fake ransom note and a shellcode used to display it on the victim’s machine. As can be seen in Figure 2, a file of 512 bytes is written into the MBR in the first sector of the physical drive. _Figure 2 – Buffer handle overwriting the MBR with fake ransom note_ This buffer contains a ransom note (as seen in Figure 3) that is shown to the victim upon the next system reboot. The note contains a bitcoin wallet address and an ID for the Tox instant message system, along with a demand for $10,000 to recover the data. However, this note appears to be pure subterfuge, since the victim’s MBR has been overwritten and partitions already destroyed. _Figure 3 - Fake ransom note displayed to victim after system reboot_ WhisperGate does not force a reboot; instead, it waits for victims to reboot their systems themselves. The delayed reboot allows the malware time to launch additional stages of the attack chain, as detailed below. **Stage 2 – Downloader** **SHA256: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78** The second stage of this attack involves the use of a .NET malware. This file is a downloader used to create an HTTP connection with a hardcoded Discord content delivery network link. This link (seen in Figure 4) hosts a JPG file called “Tbopbh.jpg,” which contains the malicious payload required to initiate stage 3 of this attack. This file has the same name as the decompiled assembly of the second stage loader. ----- _Figure 4 - Discord download link for third stage malware_ Before reaching out to the Discord server, the file utilizes PowerShell (shown in Figure 5) to launch a Base64 encoded command that performs a sleep function for 20 seconds. This delay aids the malware in remaining undetected on the target machine. _Figure 5 - PowerShell used to perform sleep function for 20 seconds_ The loader creates a connection with the Discord server hosted at 162[.]159[.]135[.]233 as shown below, in order to retrieve the next stage. _Figure 6 - Stage 2 loader creates TCP connection with Discord server_ **Stage 3 – Injector** **SHA256: 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6** The retrieved payload for Stage 3 is a .NET assembly file, which is obfuscated by using the reverse order of each byte in the file. When the byte order of the payload has been reversed, it results in a Win32 DLL (Dynamic Link Library) file called “Frkmlkdkdubkznbkmcf.dll.” The assembly contains three resources, as shown in Figure 7. ----- _Figure 7 - Assembly containing three resources_ The resource “78c855a088924e92a7f60d661c3d1845” is loaded into memory and is decoded by an XOR operation. The result of this is another .NET DLL file called “zx_fee6cce9db1d42510801fc1ed0e09452.dll.” This decoded file contains two additional resources called “AdvancedRun” and “Waqybg.” _Figure 8 - Additional Resources "AdvancedRun" and "Waqybg"_ The resource “AdvancedRun” is used to stop Windows Defender from running, and to delete it from memory. It does this by invoking PowerShell and executing multiple commands. **Stage 4 – File Corruptor** **SHA256: 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907** The final stage of this malware is the file corruptor stage. Here the resource “Waqybg” is executed and begins overwriting the start of each targeted file with 1MB of static data. During analysis, this resulted in hard disk space filling up rapidly and the virtual machine (VM) used by our researchers crashing. ----- The following is the list of the hardcoded file extensions that this malware targets. Once the file is encrypted, the file corruptor will append a random four-byte extension to the file name: for example, “File.1234.” .HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG Once the file corruptor has completed overwriting the targeted files, it will execute the following ping command to remove itself from the machine. _“cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \”[Filepath]\”_ ### Conclusion The multi-stage attack method and stealth techniques of WhisperGate make it a unique piece of very destructive malware. Through analysis, it becomes apparent that the goal of the malware is to cause disruption at the targeted organization, rather than pursuit of any financial gain. As this is still an ongoing investigation and BlackBerry’s analysis continues, we will share more information as soon as it becomes available. This will likely not be the last we hear about WhisperGate – especially if the possible existence of a Linux version of the wiper is confirmed. Stay tuned for further updates in next week’s blog. ### YARA Rule The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document: **rule Stage_1** { meta: description = "Detects Stage 1 WhisperGate" author = "BlackBerry Threat Research" date = "2022-01-17" license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team" strings: // Regex for ransom note in MBR $re1 = /You should pay us \$[0-9]{1,3}k via bitcoin wallet/ ----- // MBR signature $b1 = {55 AA} // Int 13 Bios interrupt $b2 = {CD 13} // Extended write interrupt code $b3 = {B4 43} // Strings in MBR replacement data $s1 = "Your hard drive has been corrupted." $s2 = "tox ID" $s3 = "We will contact you to give further instructions." // String used in CreateFileW call to open main physical drive $s4 = "\\\\.\\PhysicalDrive0" wide // The hardcoded data it uses to overwrite the MBR condition: // MZ header uint16(0) == 0x5a4d and ((all of ($b*) and 2 of ($s*)) or (all of ($s*) and $re1)) } import "pe" **rule Stage2** { meta: description = "Detects WhisperGate Stage 2" author = "BlackBerry Threat Research" date = "2022-01-17" license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team" strings: // Regex for any attachment link coming from the same discord channel $re1 = /https:\/\/cdn\.discordapp\.com\/attachments\/928503440139771947\/[0-9]{18}\/[^<>:"\/\|? *]*\b/ wide // 3 strings combined to make powershell command that evaluates to "Start-Sleep -s 10" $s1 = "powershell" wide $s2 = "-enc UwB0AGEAcgB0AC" wide $s3 = "0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==" wide // The method name being looked for in stage 3 $s4 = "Ylfwdwgmpilzyaph" wide // Used with .Replace("x", "") for reflection on WebClient to get DownloadData method $s5 = "DxownxloxadDxatxxax" wide condition: // MZ header uint16(0) == 0x5a4d and // is a .NET binary pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and ----- $re1 and 2 of ($s ) } **rule Stage3** { meta: description = "Detects WhisperGate Stage 3" author = "BlackBerry Threat Research" date = "2022-01-17" license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team" strings: // The same as a string from stage2, not sure what it is $s1 = "Ylfwdwgmpilzyaph" // Names of resources $s3 = "78c855a088924e92a7f60d661c3d1845" $s4 = "7c8cb5598e724d34384cce7402b11f0e" condition: // MZ header uint16(0) == 0x5a4d and // is a .NET binary pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and all of them } import "pe" **rule Stage3_reversed** { meta: description = "Detects WhisperGate Stage 3 Reversed" author = "BlackBerry Threat Research" date = "2022-01-17" license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team" strings: // This string was also in stage2 so defo want to look into it // but this is the reversed version because Stage3 is backwards $s1 = "hpayzlipmgwdwflY" // Names of resources backwards $s3 = "5481d3c166d06f7a29e429880a558c87" $s4 = "e0f11b2047ecc48343d427e8955bc8c7" condition: // MZ header backwards at the end of the file uint16(filesize-2) == 0x4d5a and all of them } ----- ### Indicators of Compromise (IoCs) **Files** a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (Stage 1) dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (Stage 2) 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 (Stage 3) 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d (Stage 3 Reversed) 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907 (File Wiper) 35feefe6bd2b982cb1a5d4c1d094e8665c51752d0a6f7e3cae546d770c280f3a (Decoded Resource) **Bitcoin Wallet Address** 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv **ToxID** 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 **Discord Link** https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg **IP Address** 162[.]159[.]135[.]233 ### BlackBerry Assistance If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship. [The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling](https://www.blackberry.com/us/en/services/incident-response) response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases. We have a global consulting team standing by to assist you providing around-the-clock support, where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-responsecontainment ----- ## About The BlackBerry Research & Intelligence Team The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve. Back -----