WhisperGate
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via `%TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run`.(Citation: Cisco Ukraine Wipers January 2022) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
WhisperGate can make an HTTPS connection to download additional files.(Citation: Unit 42 WhisperGate January 2022)(Citation: Medium S2W WhisperGate January 2022) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
WhisperGate can use `cmd.exe` to execute commands.(Citation: Unit 42 WhisperGate January 2022) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
WhisperGate can use a Visual Basic script to exclude the `C:\` drive from Windows Defender.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022) |
||
| Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022) |
| .002 | Disk Wipe: Disk Structure Wipe |
WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.(Citation: Microsoft WhisperGate January 2022)(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022) |
||
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
WhisperGate can delete tools from a compromised host after execution.(Citation: Cisco Ukraine Wipers January 2022) |
| Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cybereason WhisperGate February 2022)(Citation: Microsoft WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022) |
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`.(Citation: Cisco Ukraine Wipers January 2022) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
WhisperGate can recognize the presence of monitoring tools on a target system.(Citation: Unit 42 WhisperGate January 2022) |
| Enterprise | T1218 | .004 | System Binary Proxy Execution: InstallUtil |
WhisperGate has used `InstallUtil.exe` as part of its process to disable Windows Defender.(Citation: Unit 42 WhisperGate January 2022) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
WhisperGate can download and execute AdvancedRun.exe via `sc.exe`.(Citation: Medium S2W WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022) |
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.(Citation: Unit 42 WhisperGate January 2022) |
| .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
WhisperGate can pause for 20 seconds to bypass antivirus solutions.(Citation: Medium S2W WhisperGate January 2022) |
||
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1003 | Ember Bear |
(Citation: CrowdStrike Ember Bear Profile March 2022) (Citation: Mandiant UNC2589 March 2022) |
References
- Cybereason Nocturnus. (2022, February 15). Cybereason vs. WhisperGate and HermeticWiper. Retrieved March 10, 2022.
- Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
- MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
- S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
- Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
- Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
- Crowdstrike. (2022, January 19). Technical Analysis of the WhisperGate Malicious Bootloader. Retrieved March 10, 2022.
- CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.
- Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.