Monday, December 23, 2024

Ukraine: Wiper malware masquerading as ransomware hits government organizations

In the wake of last week’s attention-grabbing defacements of many Ukrainian government websites, Microsoft researchers have revealed evidence of a malware operation targeting multiple organizations in Ukraine, deploying what seems to be ransomware but is actually Master Boot Records (MBR) wiper malware.

The defacements

“On the night of January 13-14, a number of government websites, including the Ministry of Foreign Affairs, the Ministry of Education and Science and others, were hacked. Provocative messages were posted on the main page of these sites. The content of the sites was not changed and the leakage of personal data, according to preliminary information, did not occur,” the Computer Emergency Response Team of Ukraine (CERT-UA) said.

The team noted that it’s possible that the attackers exploited CVE-2021-32648, a vulnerability in the October CMS, to reset the admin account password and gain access to it, allowing them to post the taunting messages.

The malware operation

Late on Saturday, Microsoft shared information and IOCs related to a malware campaing targeting Ukrainian organizations.

According to their research, the malware first appeared on victim systems on January 13.

“The organizations affected by this malware include government agencies that provide critical executive branch or emergency response functions and an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced,” the researchers noted.

“We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”

Recommended:  CISA Adds Another 95 Flaws to its Actively Exploited Vulnerabilities Catalog

The malware – dubbed WhisperGate – first overwrites the MBR on victim systems and displays a ransom note, and then executes when the target device is powered down.

“The malware resides in various working directories, including C:\PerfLogsC:\ProgramDataC:\, and C:\temp, and is often named stage1.exe. In the observed intrusions, the malware executes via Impacket, a publicly available capability often used by threat actors for lateral movement and execution,” they shared.

Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader.”

The “corrupter” locates files with a wide variety of file extensions and overwrites the contents of the file with a fixed number of 0xCC bytes.

Based on the capabilities and activity of the malware, as well as the content of the ransomware note, the researchers believe that the attackers are not part of a cybercriminal ransomware gang.

Microsoft has notified customers that have been targeted / compromised and are advising government agencies, non-profits and enterprises located or with systems in Ukraine to use the provided IOCs to investigate whether their systems and networks have been compromised.

They have also urged them to review all authentication activity for remote access infrastructure, to enable MFA for all remote connectivity, and to enable controlled folder Access (CFA) in Microsoft Defender for Endpoint (if they use it) to prevent MBR/VBR modification.

Vx-underground has also shared malware samples.

Attack attribution

While Microsoft did not make a definite connection between this activity and a previously known threat actor, the malware campaign is evocative of the 2017 NotPetya attacks against businesses and government entities in the Ukraine and around the world, which has been attributed by several Western governments to the Russian military, i.e., the Sandworm Team – hacking group that is believed to be a part of Unit 74455 of the Russian Main Intelligence Directorate (GRU).

Recommended:  Cyber Weekly: NetGear urgent patch, malicious PyTorch compromise, LockBit ransoms Lisbon

Add to this the current geopolitic situation in and around Ukraine, and it seems logical to suspect that Russian threat actors – whether sponsored by the Russian Federation or not – are the source of the attacks. Still, there is no concrete evidence so far either way, so that remains a speculation.

Got o Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

You may also enjoy reading, The definitions of “recently” and “discovered” leave a lot to be desired

Stay informed with the latest Cybersecurity trends, threats and analysis. Sign up to the realinfosec weekly cybersecurity newsletter today.

Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security