WhisperGate is a multi-stage wiper designed to look like ransomware that has been used in attacks against Ukraine since at least January 2022.[1][2][3]

ID: S0689
Platforms: Windows
Contributors: Phil Taylor, BT Security
Version: 1.0
Created: 10 March 2022
Last Modified: 10 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WhisperGate can make an HTTPS connection to download additional files.[2][4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.[2][5][4]

.003 Command and Scripting Interpreter: Windows Command Shell

WhisperGate can use cmd.exe to execute commands.[2]

.005 Command and Scripting Interpreter: Visual Basic

WhisperGate can use a Visual Basic script to exclude the C:\ drive from Windows Defender.[2][5]

Enterprise T1485 Data Destruction

WhisperGate can corrupt files by overwriting the first 1 MB with 0xcc and appending random extensions.[3][6][1][2][5][4]

Enterprise T1140 Deobfuscate/Decode Files or Information

WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.[5][4]

Enterprise T1561 .001 Disk Wipe: Disk Content Wipe

WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.[6][5][4]

.002 Disk Wipe: Disk Structure Wipe

WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.[3][6][1][2][5][4]

Enterprise T1083 File and Directory Discovery

WhisperGate can locate files based on hardcoded file extensions.[3][2][5][4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

WhisperGate can download and execute AdvancedRun.exe to disable Windows Defender Theat Protection via sc.exe.[2][5][4]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

WhisperGate can delete tools from a compromised host after execution.[5]

Enterprise T1105 Ingress Tool Transfer

WhisperGate can download additional stages of malware from a Discord CDN channel.[3][2][5][4]

Enterprise T1036 Masquerading

WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.[4]

Enterprise T1106 Native API

WhisperGate has used the ExitWindowsEx API to flush file buffers to disk and stop running processes.[5]

Enterprise T1027 Obfuscated Files or Information

WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.[5][4]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

WhisperGate overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots.[6][1][3][5][4]

Enterprise T1055 Process Injection

WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility InstallUtil.exe.[5]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

WhisperGate can recognize the presence of monitoring tools on a target system.[2]

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.[2]

Enterprise T1082 System Information Discovery

WhisperGate has the ability to enumerate fixed logical drives on a targeted system.[5]

Enterprise T1049 System Network Connections Discovery

WhisperGate can enumerate connected remote logical drives.[5]

Enterprise T1529 System Shutdown/Reboot

WhisperGate can shutdown a compromised host through execution of ExitWindowsEx with the EXW_SHUTDOWN flag.[5]

Enterprise T1078 .001 Valid Accounts: Default Accounts

The WhisperGate third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group.[5]

Enterprise T1497 Virtualization/Sandbox Evasion

WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.[2]

.003 Time Based Evasion

WhisperGate can pause for 20 seconds to bypass antivirus solutions.[4]

Enterprise T1102 Web Service

WhisperGate can download additional payloads hosted on a Discord channel.[6][2][3][5][4]