WhisperGate is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.[1][2][3]

ID: S0689
Platforms: Windows
Contributors: Phill Taylor, BT Security
Version: 1.0
Created: 10 March 2022
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Enterprise T1134 .002 Access Token Manipulation: Create Process with Token

The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via %TEMP%\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run.[4]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WhisperGate can make an HTTPS connection to download additional files.[2][5]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.[2][4][5]

.003 Command and Scripting Interpreter: Windows Command Shell

WhisperGate can use cmd.exe to execute commands.[2]

.005 Command and Scripting Interpreter: Visual Basic

WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.[2][4]

Enterprise T1485 Data Destruction

WhisperGate can corrupt files by overwriting the first 1 MB with 0xcc and appending random extensions.[3][6][1][2][4][5]

Enterprise T1140 Deobfuscate/Decode Files or Information

WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.[4][5]

Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.[6][4][5]

.002 Disk Wipe: Disk Structure Wipe

WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.[3][6][1][2][4][5]

Enterprise T1083 File and Directory Discovery

WhisperGate can locate files based on hardcoded file extensions.[3][2][4][5]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\ drive.[2][4][5]

Enterprise T1070 .004 Indicator Removal: File Deletion

WhisperGate can delete tools from a compromised host after execution.[4]

Enterprise T1105 Ingress Tool Transfer

WhisperGate can download additional stages of malware from a Discord CDN channel.[3][2][4][5]

Enterprise T1036 Masquerading

WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.[5]

Enterprise T1106 Native API

WhisperGate has used the ExitWindowsEx API to flush file buffers to disk and stop running processes.[4]

Enterprise T1135 Network Share Discovery

WhisperGate can enumerate connected remote logical drives.[4]

Enterprise T1027 Obfuscated Files or Information

WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.[4][5]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.[6][1][3][4][5]

Enterprise T1055 .012 Process Injection: Process Hollowing

WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility InstallUtil.exe.[4]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

WhisperGate can recognize the presence of monitoring tools on a target system.[2]

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.[2]

Enterprise T1082 System Information Discovery

WhisperGate has the ability to enumerate fixed logical drives on a targeted system.[4]

Enterprise T1569 .002 System Services: Service Execution

WhisperGate can download and execute AdvancedRun.exe via sc.exe.[5][2]

Enterprise T1529 System Shutdown/Reboot

WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.[4]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.[2]

.003 Virtualization/Sandbox Evasion: Time Based Evasion

WhisperGate can pause for 20 seconds to bypass antivirus solutions.[5]

Enterprise T1102 Web Service

WhisperGate can download additional payloads hosted on a Discord channel.[6][2][3][4][5]

Groups That Use This Software

ID Name References
G1003 Ember Bear