Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

WhisperGate

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Microsoft WhisperGate January 2022)
ID: S0689
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 10 Mar 2022
Last Modified: 10 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via `%TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run`.(Citation: Cisco Ukraine Wipers January 2022)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WhisperGate can make an HTTPS connection to download additional files.(Citation: Unit 42 WhisperGate January 2022)(Citation: Medium S2W WhisperGate January 2022)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

.003 Command and Scripting Interpreter: Windows Command Shell

WhisperGate can use `cmd.exe` to execute commands.(Citation: Unit 42 WhisperGate January 2022)

.005 Command and Scripting Interpreter: Visual Basic

WhisperGate can use a Visual Basic script to exclude the `C:\` drive from Windows Defender.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)

Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

.002 Disk Wipe: Disk Structure Wipe

WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.(Citation: Microsoft WhisperGate January 2022)(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cybereason WhisperGate February 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

Enterprise T1070 .004 Indicator Removal: File Deletion

WhisperGate can delete tools from a compromised host after execution.(Citation: Cisco Ukraine Wipers January 2022)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)

Enterprise T1542 .003 Pre-OS Boot: Bootkit

WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.(Citation: Crowdstrike WhisperGate January 2022)(Citation: Cybereason WhisperGate February 2022)(Citation: Microsoft WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

Enterprise T1055 .012 Process Injection: Process Hollowing

WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`.(Citation: Cisco Ukraine Wipers January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

WhisperGate can recognize the presence of monitoring tools on a target system.(Citation: Unit 42 WhisperGate January 2022)

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

WhisperGate has used `InstallUtil.exe` as part of its process to disable Windows Defender.(Citation: Unit 42 WhisperGate January 2022)

Enterprise T1569 .002 System Services: Service Execution

WhisperGate can download and execute AdvancedRun.exe via `sc.exe`.(Citation: Medium S2W WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.(Citation: Unit 42 WhisperGate January 2022)

.003 Virtualization/Sandbox Evasion: Time Based Evasion

WhisperGate can pause for 20 seconds to bypass antivirus solutions.(Citation: Medium S2W WhisperGate January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)

Groups That Use This Software

ID Name References
G1003 Ember Bear

(Citation: CrowdStrike Ember Bear Profile March 2022) (Citation: Cadet Blizzard emerges as novel threat actor) (Citation: Mandiant UNC2589 March 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.