Friday, January 15, 2022, Microsoft published a report detailing their discovery of destructive malware being used to corrupt the systems of several organizations in Ukraine. Microsoft’s initial discovery of the ransomware-like malware was made on January 13, 2022. According to Microsoft, the malware was designed to look like ransomware but lacks a ransom recovery mechanism. A few days prior to this incident, over 70 Ukrainian government websites were defaced by groups that are allegedly associated with the Russian secret service. However, Microsoft stated that they have yet to find any notable links between the new malware and the website attacks.
After the two-stage malware executes via Impacket, it overwrites the MBR (Master Boot Record) on a system and includes a $10,000 Bitcoin ransom note (stage 1). After the intended device powers down, the malware executes. Microsoft stated that it’s atypical for cybercriminal ransomware to overwrite the MBR and they believe the ransom note is a ruse. They also believe that the malware destructs MBR and the contents of the files it targets. The malware is located in various working directories (including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp) and is often named stage1.exe.
Stage 2 (stage2.exe) of the malware is being described as a malicious file corrupter. After execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the downloaded link hardcoded in the downloader. The malware then locates files in certain directories using dozens of the most common file extensions and overwrites the contents of the file with a fixed number of 0xCC bytes (total file size of 1MB). After over-writing, the destructor renames each file with a random four-byte extension.
The destructive malware was found on dozens of impacted systems and that number may grow as Microsoft furthers their investigation. The systems impacted include multiple government, non-profit, and information technology organizations based in the Ukraine. While Microsoft doesn’t know the current stage of the threat actor’s operational cycle or other geographic locations, they don’t believe the current impacted systems represent the full scope of impact.
Because there isn’t a ransom recovery mechanism associated with the malware attacks, Microsoft is not sure of the threat actor’s goal. The bitcoin wallet address found in the ransom note was observed across all DEV-0586 intrusions and the only activity was a small transfer on January 14, 2022. Microsoft implemented protections to detect the malware family as WhisperGate (e.g., DoS:Win32/WhisperGate.A!dha) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and in cloud environments. Microsoft stated that the investigation of the malware is ongoing.
Microsoft and Avertium recommend the following to mitigate the malware:
Note: Avertium is working to detect more IoCs, therefore this list should not be considered exhaustive.