2022-01-25

WhisperGate

Level: 
Tactical
  |  Source: 
PaloAltoUnit42
Share:

Malware Campaigns

WhisperGate

Industry: N/A | Level: Operational | Source: PaloAltoUnit42

From developing stories involving attacks against the Ukrainian, Palo Alto Unit42 provided insight into a new malware family named, WhisperGate who started to be observed on January 13th, 2022. The malware involves two samples Stage1.exe and Stage2.exe. and Stage1.exe file, while appearing as ransomware due to providing a ransom note following a reboot, is destructive as it overwrites the target's master boot record with 512 bytes. The Stage2.exe file is an in-memory implant that retrieves a malicious JPG file from Discord. Additionally, as described by Unit42, "The in-memory code uses Living Off the Land Binaries (LOLBINs) to evade detection and also performs anti-analysis techniques, as it will fail to detonate when certain monitoring tools exist." The malicious JPG file initiates an array of activities such as disabling and deleting Windows Defender along with additional destructive capabilities.

  • Anvilogic Scenario: WhisperGate - Behaviors
  • Anvilogic Use Cases:
  • Executable Process from Suspicious Folder
  • Windows Defender Disabled Detection
  • Service Stop Commands

Chat with our team to receive a free maturity assessment

Get in Touch