お近くの会場で開催されているNetskopeのSASE Summitにお越しください!今すぐご登録

  • セキュリティサービスエッジ製品

    高度なクラウド対応の脅威から保護し、あらゆるベクトルにわたってデータを保護します。

  • Borderless SD-WAN

    すべてのリモートユーザー、デバイス、サイト、クラウドへの安全で高性能なアクセスを自信を持って提供します。

  • プラットフォーム

    世界最大のセキュリティプライベートクラウドでの比類のない可視性とリアルタイムデータおよび脅威保護。

未来のプラットフォームはNetskopeです

インテリジェントセキュリティサービスエッジ(SSE)、クラウドアクセスセキュリティブローカー(CASB)、クラウドファイアウォール、次世代セキュアWebゲートウェイ(SWG)、およびZTNAのプライベートアクセスは、単一のソリューションにネイティブに組み込まれており、セキュアアクセスサービスエッジ(SASE)アーキテクチャへの道のりですべてのビジネスを支援します。

製品概要に移動
Netskopeの動画
ボーダレスSD-WAN:ボーダレスエンタープライズの新時代を先導

NetskopeボーダレスSD-WANは、ゼロトラストの原則と保証されたアプリケーションパフォーマンスを統合するアーキテクチャを提供し、すべてのサイト、クラウド、リモートユーザー、およびIoTデバイスに前例のない安全で高性能な接続を提供します。

Read the article
Borderless SD-WAN
Netskope は、データと脅威の保護、および安全なプライベートアクセスを実現するための機能を統合した、最新のクラウドセキュリティスタックを提供します。

プラットフォームを探索する
大都市の俯瞰図
  • 変身

    デジタルトランスフォーメーションを保護します。

  • セキュリティの近代化

    今日と明日のセキュリティの課題に対応します。

  • フレームワーク

    サイバーセキュリティを形作る規制の枠組みを採用する。

  • 政府と産業

    Netskope 、世界最大の代理店や企業がクラウドへの移行を保護するのに役立ちます。

最小の遅延と高い信頼性を備えた、市場をリードするクラウドセキュリティサービスに移行します。

NewEdgeの詳細
Lighted highway through mountainside switchbacks
アプリケーションのアクセス制御、リアルタイムのユーザーコーチング、クラス最高のデータ保護により、生成型AIアプリケーションを安全に使用できるようにします。

ジェネレーティブ AI の使用を保護する方法を学ぶ
Safely Enable ChatGPT and Generative AI
SSEおよびSASE展開のためのゼロトラストソリューション

Learn about Zero Trust
Boat driving through open sea
Netskopeは、クラウドサービス、アプリ、パブリッククラウドインフラストラクチャを採用するための安全でクラウドスマートかつ迅速な旅を可能にします。

Learn about Industry Solutions
Wind turbines along cliffside
  • 導入企業

    Netskopeは、フォーチュン100の25以上を含む世界中の2,000以上の顧客にサービスを提供しています。

  • カスタマーソリューション

    お客様のため、Netskopeでお客様の成功を確実にすべく、あらゆるステップを共に歩んでまいります。

  • トレーニングと認定

    Netskope training will help you become a cloud security expert.

私たちは、お客様が何にでも備えることができるように支援します

お客様を見る
Woman smiling with glasses looking out window
Netskopeの有能で経験豊富なプロフェッショナルサービスチームは、実装を成功させるための規範的なアプローチを提供します。

Learn about Professional Services
Netskopeプロフェッショナルサービス
Netskopeトレーニングで、デジタルトランスフォーメーションの旅を保護し、クラウド、ウェブ、プライベートアプリケーションを最大限に活用してください。

Learn about Training and Certifications
Group of young professionals working
  • リソース

    クラウドへ安全に移行する上でNetskopeがどのように役立つかについての詳細は、以下をご覧ください。

  • ブログ

    Netskopeがセキュリティサービスエッジ(SSE)を通じてセキュリティとネットワークの変革を可能にする方法を学びましょう。

  • イベント&ワークショップ

    最新のセキュリティトレンドを先取りし、仲間とつながりましょう。

  • 定義されたセキュリティ

    サイバーセキュリティ百科事典で知っておくべきことすべて。

セキュリティビジョナリーポッドキャスト

ボーナスエピソード2:SSEのマジッククアドラントとSASEを正しく取得する
MikeとSteveが、ガートナー®社のマジック・クアドラント™のセキュリティ・サービス・エッジ(SSE)、Netskopeの位置づけ、現在の経済情勢がSASEの取り組みに与える影響について語ります。

ポッドキャストを再生する
ボーナスエピソード2:SSEのマジッククアドラントとSASEを正しく取得する
最新のブログ

Netskopeがセキュリティサービスエッジ(SSE)機能を通じてゼロトラストとSASEの旅を可能にする方法。

ブログを読む
Sunrise and cloudy sky
Netskope AWSイマージョンデイワールドツアー2023

Netskopeは、Netskope製品の使用とデプロイについてAWSのお客様を教育および支援するために、さまざまなハンズオンラボ、ワークショップ、詳細なウェビナー、およびデモを開発しました。

Learn about AWS Immersion Day
AWS パートナー
セキュリティサービスエッジとは何ですか?

SASEのセキュリティ面、ネットワークとクラウドでの保護の未来を探ります。

Learn about Security Service Edge
Four-way roundabout
  • 会社概要

    クラウド、データ、ネットワークセキュリティの課題の先取りをサポート

  • Netskopeが選ばれる理由

    クラウドの変革とどこからでも機能することで、セキュリティの機能方法が変わりました。

  • リーダーシップ

    Netskopeの経営陣はお客様を成功に導くために全力を尽くしています。

  • パートナー

    私たちはセキュリティリーダーと提携して、クラウドへの旅を保護します。

データセキュリティによる持続可能性のサポート

Netskope は、持続可能性における民間企業の役割についての認識を高めることを目的としたイニシアチブであるビジョン2045に参加できることを誇りに思っています。

詳しくはこちら
Supporting Sustainability Through Data Security
Highest in Execution. Furthest in Vision.

ネットスコープは2023年Gartner®社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラント™でリーダーの1社として評価されました。

レポートを読む
ネットスコープは2023年Gartner®社のセキュリティ・サービス・エッジ(SSE)のマジック・クアドラント™でリーダーの1社として評価されました。
思想家、建築家、夢想家、革新者。 一緒に、私たちはお客様がデータと人々を保護するのを助けるために最先端のクラウドセキュリティソリューションを提供します。

当社のチーム紹介
Group of hikers scaling a snowy mountain
Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。

Learn about Netskope Partners
Group of diverse young professionals smiling

Netskope Threat Coverage: WhisperGate

Jan 26 2022

Summary

A new destructive malware called WhisperGate was discovered in mid-January 2022 targeting Ukrainian organizations. This threat emerged during geopolitical conflicts in Ukraine, masquerading as ransomware. However, this malware has a more destructive nature: wiping files and corrupting disks to prevent the OS from loading. Ukraine has suffered other cyberattacks that seem to be connected to WhisperGate, such as the defacement of many websites connected to their governments.

This is a multi-stage malware, where one of the payloads is hosted on a Discord server. The preference of attackers to use cloud services for malicious purposes is increasingly common, as pointed out in an analysis of a threat campaign that uses multiple cloud services throughout the attack. The threat group behind WhisperGate is being tracked as DEV-0586, and so far there isn’t any association between this attack to known APT groups. In this threat coverage, we analyzed all four stages of WhisperGate to demonstrate how it works.

Analysis

Stage 01

WhisperGate’s first stage is a small executable compiled with MinGW, responsible for corrupting the disk by writing code into the Master Boot Record (MBR), which is a small section on disk that contains the Partition Table and an executable code related to the boot loader.

Screenshot of Binary information about WhisperGate’s first stage
Binary information about WhisperGate’s first stage

Corrupting the MBR is a simple technique to prevent any Operating System from loading, as the assembly code is executed before the OS.

The entire code for the first stage of WhisperGate can fit in a single screenshot, where the malware loads the MBR data that will be written to disk, opens a handle to the physical drive with CreateFileW, and uses WriteFile to writes the 512 bytes to MBR, which is located in the first sector of the disk.

Screenshot of Disassembled code of WhisperGate’s first stage.
Disassembled code of WhisperGate’s first stage.

The MBR stub written to disk includes a 16-bit assembly code and a message.

Screenshot of Data written on disk by WhisperGate
Data written on disk by WhisperGate

If we load this data into the disassembler, we can analyze the 16-bit assembly that will be executed once the computer is rebooted, which doesn’t do anything but display a message.

Example of code that is executed once the computer is infected with WhisperGate.
Code that is executed once the computer is infected with WhisperGate.

Once the computer is infected, as soon as it restarts, the message is displayed and the OS is prevented from loading. The message says the hard drive was corrupted and demands a payment of $10,000 via Bitcoin to a specific walled address.

Example of computer infected with the first stage of WhisperGate.
Computer infected with the first stage of WhisperGate.

This is the only action performed by the first stage of WhisperGate. The following stages were created probably to add a certain resilience to the attack in case the first stage fails, as systems may use GUID Partition Table (GPD), which is MBR’s successor.

Stage 02

In this stage, we have a simple .NET downloader for stage 03. The binary contains an expired signature from Microsoft, and although it is not shown by identification tools, the file is obfuscated with NetReactor, as pointed out by OALabs.

Screenshot of binary information about WhisperGate’s second stage.
Binary information about WhisperGate’s second stage.

Once running, it downloads the third stage from a Discord server, named “Tbopbh.jpg”.

Example of WhisperGate’s .NET downloader.
WhisperGate’s .NET downloader.

After the download, the malware loads the binary as a .NET assembly and executes the method named “Ylfwdwgmpilzyaph”.

Example of malware executing the third stage of WhisperGate
Malware executing the third stage of WhisperGate

Stage 03

Here we have a 32-bit DLL, also developed in .NET. Since this file is directly loaded by the second stage as a .NET assembly, the DLL doesn’t have an entry point, which requires some adjustments to make dynamic analysis feasible.

Screenshot of binary information about WhisperGate’s third stage.
Binary information about WhisperGate’s third stage.

As shown in the image above, the file is protected with Eazfuscator, likely to hinder researchers’ analysis. Searching throughout the decompiled code, we can find the same method that is executed by the second stage.

Screenshot of main function from the third stage of WhisperGate.
Main function from the third stage of WhisperGate.

Once running, it checks if the process is running as an Administrator. If it’s not the case, it launches itself with elevated permissions and exits the process.

Example of Malware checking for administrative permissions.
Malware checking for administrative permissions.

Then, it drops a VBS named “Nmddfrqqrbyjeygggda.vbs” into the Windows temporary folder, containing a simple PowerShell code that adds the path “C:\” to Windows Defender’s exclusion list.

Example of simple VBS / PowerShell to bypass Windows Defender.
Simple VBS / PowerShell to bypass Windows Defender.

It also drops an executable named “AdvancedRun.exe” to the same directory, which is a tool from NirSoft to execute programs with different settings. WhisperGate uses this tool to execute commands in the “TrustedInstaller” group context.

Example of usage of AvancedRun tool, by NirSoft.
Usage of AvancedRun tool, by NirSoft.

It executes two commands with this tool, both as an attempt to disable Windows Defender. The first one tries to stop Defender’s service, and the second tries to delete its respective folder.

Example of commands executed with AdvancedRun.
Commands executed with AdvancedRun.

Then, WhisperGate copies “InstallUtil.exe” to Windows temporary folder, which is a binary from .NET Framework.

Example of copying InstallUtil executable to Windows temporary folder.
Copying InstallUtil executable to Windows temporary folder.

And finally, WhisperGate’s last stage is injected into an instance of the InstallUtil’s process. The payload is stored within an encrypted resource, where all the bytes are reversed and compressed with Gzip.

Example of malware loading WhisperGate’s last stage.
Malware loading WhisperGate’s last stage.

Stage 04

The binary used in this stage is quite similar to the first one in terms of compiler and linker.

Screenshot of WhisperGate’s last stage.
WhisperGate’s last stage.

Looking at the main function of the malware, we have two functions being called prior to the end of the execution.

Screenshot of WhisperGate’s main function.
WhisperGate’s main function.

At the function we named “mw_main_routine”, the malware starts by listing the drives with the help of GetLogicalDrives API.

Screenshot of malware listing OS drives.
Malware listing OS drives.

Then, it uses GetDriveTypeW to check if the drive is either fixed or remote. If that’s the case, it starts the function that will wipe the files.

Example of malware checking the drive type.
Malware checking the drive type.

Within the function we named “mw_wipe_files”, it starts by listing all the files in the root path of the drive with FindFirstFileW.

Screenshot of malware listing all the files in the current directory.
Malware listing all the files in the current directory.

If the current object is a directory, the “mw_wipe_files” function is called recursively with the identified directory as a parameter. This is verified by calling the “_wstat” function and checking the st_mode bits.

Screenshot of malware checking if the current object is a directory.
Malware checking if the current object is a directory.

WhisperGate does not wipe files in the Windows directory.

Screenshot of WhisperGate skipping Windows folder.
WhisperGate skipping Windows folder.

The last verification is related to the file’s extension, where the malware iterates over a list of targeted extensions and, if the file name matches, a function we named “mw_write_bytes_to_file” is called.

Example of WhisperGate checking for targeted extensions
WhisperGate checking for targeted extensions.

WhisperGate targets many files with extensions related to websites, such as “.html”, “.php”, “.asp”, “.jsp”, as well as common documents like “.doc”, “.xls”, “.ppt”, etc. A complete list of targeted extensions can be found in our GitHub repository.

Screenshot of WhisperGate’s targeted extensions.
WhisperGate’s targeted extensions.

And finally, if the file matches the criteria, WhisperGate wipes the file by replacing its content with a sequence of 0x100000 bytes of 0xCC.

Screenshot of WhisperGate wiping system’s files.
WhisperGate wiping system’s files.

Also, a random extension is appended to the file’s name.

Screenshot of files wiped by WhisperGate.
Files wiped by WhisperGate.

Once it’s over, WhisperGate deletes itself through a simple command line, where “%s” is the file path obtained with GetModuleFileNameA.

This is the only behavior of WhisperGate’s last stage. Paying the ransom demanded would be fruitless because the MBR and files were simply overwritten, not encrypted like they would be by ransomware. 

Conclusions

WhisperGate is a multi-stage destructive malware that has emerged in the midst of the geopolitical conflict that is still unfolding in Ukraine. Netskope Threat Labs is on the lookout for any malware that may appear with an apparent political motivation, especially ones that may disrupt essential services, such as infrastructure. It’s also interesting to see this threat using Discord to host one of the payloads, showing again the preference of cloud apps usage by cyber attackers. We echo CISA’s recommendations released in this note to implement cybersecurity measures for critical infrastructure.

Protection

Netskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat indicators and payloads. 

  • Netskope Threat Protection
    • Win32.Trojan.WhisperGate
    • Win32.Network.WhisperGate
    • ByteCode-MSIL.Trojan.WhisperGate
  • Netskope Advanced Threat Protection provides proactive coverage against this threat.
    • Gen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis
    • Gen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox

IOCs

A full list of IOCs and Yara rules can be found in our GitHub repository.

author image
Gustavo Palazolo
Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection. He is currently working on the Netskope Research Team, discovering and analyzing new malware threats.