Website defacements, WhisperGate wiper software assaults, and DDoS attacks targeting Ukrainian organisations were most likely motivated by geopolitical tensions.
Researchers from Secureworks® Counter Threat UnitTM (CTU) are looking into claims of devastating malware attacks in Ukraine. Microsoft detected a campaign that began on January 13 and uses the WhisperGate malware on January 15, 2022. The period coincides with the defacement of Ukrainian government websites, with the text being changed with a claim that Ukrainians’ personal information had been stolen. Some sites were also subjected to distributed denial of service (DDoS) attacks.
Defacement text on Ukrainian official websites,Ukrainian is the English translation. Your entire personal information has been exposed to the public internet. The data on the computer is being erased, and there is no way to recover it. Be afraid and prepare for the worst now that all information about you has been public. This is for the past, present, and future of your life. For Volyn, the OUN UPA, Galicia, Polissya, and historically significant territories. (Image courtesy of Secureworks)
Acts of vandalism
It was unclear what data the threat actors meant when the defacements were first disclosed on January 14th. It could have related to data that had not been made public as a result of the WhisperGate destructive virus attacks. There have been no data leaks associated to these attacks as of this publishing. The threat actors could have been bluffing, or they could have planned to release the information later. Threat actors used a clumsy attempt to suggest a Polish origin in the defacement campaign, invoking past hostilities between Poland and Ukraine and adding GPS coordinates into the image’s EXIF data.
Because the image is not a photograph, it is unlikely to contain GPS data. The locations correspond to a parking lot near Warsaw. It’s possible that the threat actors meant to direct investigators to the nearby General Staff of the Polish Army headquarters .
Over 70 official websites were hacked, according to the Security Services of Ukraine (SSU), with illegal access to 10 of them. As investigations continue, these figures are expected to change. Although numerous hypotheses are being researched, the initial access vector for the defaced websites has not been proven. A supply chain attack was utilised to get access to some of the websites, according to the SSU, which cited the compromise of a corporation with administrative powers to the damaged domains. The company was not named, but the website for Ukrainian digital technology firm Kitsoft redirects to a Facebook page that claims its infrastructure was used in the assaults as of this writing. Exploitation of October CMS and Log4j vulnerabilities are two other possible attack paths.
A subset of the institutions hit by the defacement activities were also victims of the WhisperGate malware attacks, according to Ukraine’s State Service of Special Communications and Information Protection. Although Microsoft indicated that the threat actors employed Impacket tools to execute the malware, the details of the WhisperGate initial access vector and deployment mechanism are unknown as of this publishing. Because WhisperGate is not a worm payload like the NotPetya ransomware from 2017, it must be installed and run manually on each target machine.
Technical information on WhisperGate
A master boot record (MBR) wiper and a file wiper are the two main components of WhisperGate. These files appear to be referred to as stage 1 (the MBR wiper) and stage 2 (the MBR wiper) by the attackers (the file wiper). However, because the stages are independent of one another, their designations do not necessarily reflect the sequence in which they were completed.
The MinGW compiler is used to compile the MBR wiper, which is written in the C programming language. Parts of the MBR wiper code are shared by other MBR wiper instances found on the VirusTotal analysis service, according to CTUTM analysis. These similarities point to the makers of the WhisperGate MBR wiper stealing code from publicly or privately shared source code sources.
The MBR wiper overwrites the MBR with a tiny chunk of code when it is run. The new MBR code displays a ransom message (see Figure 4) and attempts to overwrite the disc in the background using the BIOS Extended Write Sectors interrupt call the next time the computer is rebooted. On Windows 10, the virus appears to work as intended. The malware, however, caused a Windows 11 machine to fail, most likely due to the GUID Partition Table (GPT) scheme in Windows 11 replacing the older MBR partition scheme.
Despite the use of a ransom note, data recovery is not possible. This virus isn’t ransomware; it’s a destructive wiper.
The file wiper consists of a loader (Tbopbh.exe) and a compressed payload (Tbopbh.jpg) that is downloaded and executed by the loader. The loader is written in the.NET framework. It uses a PowerShell command to sleep for 20 seconds when invoked, most likely as an anti-virus or sandbox evasion technique. The bundled payload is then downloaded through a Discord channel.
The filename of the payload suggests that it is a JPG picture file, however it is actually a DLL file. To avoid detection by host-based controls, the file byte order is flipped. To get to the final malicious code, the loader restores the byte order and then executes many rounds of extraction and decoding of nested resources. Figure 6 depicts the processes that occur throughout the unpacking process. C:Usersusername>AppDataLocalTemp is where the final harmful files are stored. Microsoft Defender Antivirus is disabled by the loader.
The loader drops Nmddfrqqrbyjeygggda.vbs, which contains a one-line script that prevents Microsoft Defender Antivirus from monitoring the C: drive. To stop the antivirus service and recursively remove its starting directory, the loader drops the AdvancedRun.exe NirSoft programme.
C:WindowsMicrosoft.NETFrameworkv4.0.30319/InstallUtil.exe is moved to C:UsersAppDataLocalTemp/InstallUtil.exe. Using a method known as process hollowing, this file is used to construct the host process where the final wiper payload is injected. A function in the code runs a command (cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q ” percent s”) that uses ping to inject a brief time delay before deleting a file (cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q ” percent CTU researchers, on the other hand, did not see this command executed during the malware’s sandbox execution.
The file wiper code is written in C and compiled with MinGW, just like the MBR wiper. A hard-coded list of file extensions is targeted by the file wiper. It wipes out data in detected files by writing 0xCC to them 65536 times, equating to about 1MB of data. The list includes file formats that aren’t generally targeted by ransomware, such as a Czech word processor’s.602 extension. This extension was targeted by the WCry (also known as WannaCry) ransomware, but there is no confirmed link between the two malware families.
Attribution
There is insufficient information to confirm attribution for the Ukrainian defacement, DDoS, and wiper attacks as of this publication. However, they are almost certainly linked to the current geopolitical tensions centred on the Ukraine-Russia border. Additional cyberattacks are inevitable if tensions do not calm down. Previous attacks on Ukraine, such as NotPetya, lacked the complexity and destructive potency of these operations. To reduce the amount of custom code used in the attack, the threat actors employed inauthentic information and publicly available crimeware services and code to deflect attribution.
Recommendations
Businesses with operations in Ukraine should be extra cautious and assess their business continuity and disaster recovery plans. Backups of business-critical systems and data should be kept up to date, restoration processes should be practised before they are needed, and backups should not be disrupted by ransomware-style or wiper virus attacks. Organizations should also plan for business continuity in the event of power outages or other business-critical services being lost.
Organizations based outside of Ukraine or unrelated to the current situation are unlikely to be directly targeted. Organizations should, however, assess the risk of collateral damage from strikes initiated in Ukraine that could affect global operations. Business partners and service providers in Ukraine who have logical access to consumer networks could be affected. Risk can be reduced by using effective network segmentation to separate high-risk and low-risk zones. Furthermore, all firms should follow fundamental security procedures such as updating internet-facing systems for known vulnerabilities, adopting and maintaining antivirus solutions, and monitoring endpoint detection and response solutions.
