Microsoft is warning of harmful data-wiping malware disguised as ransomware being utilized in assaults towards a number of organizations in Ukraine.
Beginning January thirteenth, Microsoft detected the brand new assaults that mixed a harmful MBRLocker with a data-corrupting malware used to destroy the sufferer’s information deliberately.
A two-stage assault destroys information
Microsoft calls this new malware household ‘WhisperGate’ and explains in a report that it’s performed by means of two totally different harmful malware elements.
The primary part, named stage1.exe, is launched from the C:PerfLogs, C:ProgramData, C:, or C:temp folders that overwrites the Grasp Boot Report to show a ransom be aware.
An MBR locker is a program that replaces the ‘grasp boot report,’ a location on a pc’s arduous drive that incorporates data on disk partitions and a small executable that’s used to load the working system.
MBR lockers substitute the loader within the grasp boot report with a program that generally encrypts the partition desk and shows a ransom be aware. This prevents the working system from loading and information from being accessible till a ransom is paid and a decryption key’s obtained.
The WhisperGate ransom be aware, proven beneath, tells the sufferer to ship $10,000 in bitcoin to the 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv handle after which contact the risk actors by way of an included Tox chat ID.
Your arduous drive has been corrupted. In case you wish to get better all arduous drives of your group, It is best to pay us $10k by way of bitcoin pockets 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and ship message by way of tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 along with your group identify. We'll contact you to offer additional directions.
Whereas Microsoft factors to the usage of Tox as a purpose for the ransomware being pretend, BleepingComputer is aware of of quite a few ransomware operations that use Tox as a communication technique, so this isn’t uncommon.
Nevertheless, the MBRLocker’s ransom be aware makes use of the identical bitcoin handle for all victims and doesn’t present a technique to enter a decryption key. When mixed, this sometimes signifies pretend ransomware designed for harmful functions.
The second part, named stage2.exe, is executed concurrently to obtain a data-destroying malware named Tbopbh.jpg hosted on Discord that overwrites focused recordsdata with static information.
“If a file carries one of many extensions above, the corrupter overwrites the contents of the file with a set variety of 0xCC bytes (complete file dimension of 1MB),” explains Microsoft’s report.
“After overwriting the contents, the destructor renames every file with a seemingly random four-byte extension.”
The file extensions focused by the stage2 part for corruption are:
.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP
As neither of the 2 malware elements provide means to enter decryption keys to revive the unique Grasp Boot Report and because the recordsdata are overwritten with static undecryptable information, Microsoft classifies this as a harmful assault somewhat than one used to generate a ransom cost.
Indicators of compromise and obtain hyperlinks for the malware samples could be discovered within the IOC part later within the article.
Microsoft is unable to attribute the assaults to any explicit risk actor and is monitoring the hacker’s actions as DEV-0586.
With the geopolitical tensions escalating within the area between Russia and Ukraine, it’s believed that these assaults are designed to sow chaos in Ukraine.
The same assault was performed in 2017 when 1000’s of Ukrainian companies had been focused with the NotPetya ransomware.
Whereas NotPetya was based mostly on actual ransomware referred to as Petya, the NotPetya assaults had been performed as a cyberweapon towards Ukraine somewhat than to generate funds.
In 2020, the USA formally indicted Russian GRU hackers believed to be a part of the elite Russian hacking group referred to as “Sandworm” for the NotPetya assaults.
Ukraine underneath siege by cyberattacks
This week, not less than fifteen web sites of Ukrainian public establishments and authorities companies had been hacked, defaced, and subsequently taken offline.
Hackers defaced these web sites to indicate a message warning guests that their information was stolen and publicly shared on-line.
“Ukrainian! All of your private information has been uploaded to the general public community. All information on the pc is destroyed, it’s unimaginable to get better them. All details about you has grow to be public, be afraid and count on the worst. That is on your previous, current and future. For Volyn, for the OUN UPA, for Galicia, for Polissya and for historic lands,” reads the translated web site defacement.
As a part of this intimidation marketing campaign, the risk actors created new accounts on the favored RaidForums hacking discussion board to launch the allegedly stolen information.
Nevertheless, risk actors who’ve reviewed the printed information say it’s unrelated to Ukraine authorities companies and incorporates information from an outdated leak.
Ukraine has attributed the assaults to Russia, with the aim of undermining the boldness within the Ukrainian authorities.
“Russia’s cyber-troops are sometimes working towards america and Ukraine, attempting to make use of know-how to shake up the political state of affairs. The most recent cyber assault is likely one of the manifestations of Russia’s hybrid struggle towards Ukraine, which has been happening since 2014,” the Ukraine authorities introduced right now.
“Its aim shouldn’t be solely to intimidate society. And to destabilize the state of affairs in Ukraine by stopping the work of the general public sector and undermining the boldness within the authorities on the a part of Ukrainians. They’ll obtain this by throwing fakes into the infospace concerning the vulnerability of important data infrastructure and the “drain” of private information of Ukrainians.”
Replace 1/16/22: Added obtain hyperlinks for malware samples.