USX Cyber Security Bulletin – WhisperGate

Executive Summary

It was recently discovered that a new malware dubbed WhisperGate was reported against Ukrainian targets. The software was reported to contain three individual components deployed by the same threat actor. This attack is known to contain malicious bootloaders that corrupt detected local disks, a Discord based downloader, and a file wiper. Following the attack users impacted usually receive an email or pop-up message that contains a message requesting bitcoin payment for your information.

Details

The installer components for the bootloader are identified by the SHA256 hash:

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

The display ransom note:

Your hard drive has been corrupted.
In case you want to recover all hard drives of your organization,
You should pay us $10k via bitcoin wallet
With your organization name. 
We will contact you to give further instructions.

The bootloader accesses the disk via BIOS interrupt 13h in logical block addressing (LBA) mode and overwrites every 199th sector until the end of the disk is reached. After a disk is corrupted, the malware overwrites the next in the detected disk list. The bootloader installer does not initiate a reboot of the infected system, as has been observed in past intrusions. Reboot will also cause additional WhipserGate software to run.

Solution

Implement capabilities to search for indicators that will alert to software matching indicators of compromise (IOCs) related to the malicious software. The USX Cyber Team has deployed new Wazuh Rules within the Guardient^TM XDR platform to identify the IOCs. USX Cyber continues to monitor and remediate any and all related alerts.