WhisperGate: The Newest Russian Cyberthreat

by

February 24, 2022

Not all the bombs falling across Ukraine today are traditional munitions. Some of them are in fact relegated to the cybersphere. Most notably is WhisperGate, the brand-spanking newest digital weapon straight out of the Kremlin.

As the world recoils in fear, markets crash and people run for their very lives, Russia is taking advantage of the chaos. WhisperGate, like the malware we discussed in our last article about Iran, is an example of a growing trend in malware that cares more about burning the target’s infrastructure to the ground rather than holding them for ransom.

How does WhisperGate work?

We’re unsure how exactly how the malware is solicited but it operates in a fairly straightforward manner once a target in infected. According to Microsoft, WhisperGate has two stages.

In the first stage, WhisperGate overwrites the end-point’s Master Boot Record (MBR) to display a fake ransomware note. The MBR is the part of a hard drive that tells an end-point how to boot up its operating system.

By hijacking the MBR, WhisperGate then displays this ransom note:

“Your hard drive has been corrupted. In case you want to recover all hard drives of your organization, you should pay us $10k via bitcoin wallet <REDACTED> and send message via tox ID <REDACTED> with your organization name. We will contact you to give further instruction.”

– WhispergGate Ransom Note

“Overwriting the MBR is atypical for cybercrime ransomware,” Microsoft said. What they’re really doing is laying down a smokescreen while they do the dirty work behind the scenes.

Stage 2 is where the chaos really starts. After compromising the MBR, the malware downloads an executable, unimaginatively called stage2.exe via a Discord channel. Once executed stage2.exe  begins corrupting specifically targeted files. The files typically end with one of the following file extensions:

.3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

If stage2.exe finds one of the above-mentioned file types it corrupts the file’s contents.

How to Protect Yourself:

As always, the most important question is “how do I make sure WhisperGate doesn’t impact my business.” Thankfully there are a few ways you can do just that. Here are 7 steps you can take right now to help make sure you’re not WhisperGate’s next victim:

1. Restrict egress by source, identity, and protocols
 
“This way to the egress!” If you’re not familiar with the quote, it’s okay. It’s an obscure one. P.T. Barnum came up with it. It was a way to trick people who visited his exhibits into leaving without knowing they were doing so. 

This can apply, in a way to network traffic as well. It’s important to know not only where traffic is coming to on your network, but where it’s going to as well. Yes, some outbound traffic might be normal, or even welcome. That doesn’t mean all of it is.

Outbound traffic should be restricted by source, identity, and protocols. Start by making a list of remote services you should be communicating with regularly. After that, it’s important to scan your network to see if there’s any outbound traffic you don’t recognize, identify what it is and then block it accordingly.

Consider implementing a DENY ALL outbound traffic policy (with logging enabled) as well that limits outbound traffic of any type to what you expressly allow.

 

2. Implement Web Filtering to block known bad, unacceptable and unknown traffic

Beyond what some say can result in a possible increase in general workforce productivity, web filtering is better leveraged blocking known bad websites as well as unacceptable and unknown traffic.

Properly setting up web filtering services on your firewalls can save you hours of headache. Most either have a service built-in or that you can subscribe to that will do most of the heavy lifting for you. Yeah occasionally you might bump into oddly misclassified websites or whatnot, but ultimately it does a pretty darn good job of keeping people safe on the internet.

We personally use FortiGuard and recommend it to anyone using a FortiGate device. Of course, Fortinet isn’t alone in offering a web filtering product. Others like Cisco and Barracuda (to name a few) do as well.

3. Block and alert on Botnet and C&C traffic

Botnets are nasty, nasty things. They can be difficult to detect too since they’re designed to operate with out an end-users’ knowledge. But you’re in luck, there are a few common things you can look for. 

  • IRC traffic (botnets and bot masters use IRC for communications)
  • Connection attempts with known C&C servers
  • Multiple machines on a network making identical DNS requests
  • High outgoing SMTP traffic (as a result of sending spam)
  • Unexpected popups (as a result of click-fraud activity)
  • Slow computing/high CPU usage
  • Spikes in traffic, especially Port 6667 (used for IRC), Port 25 (used in email spamming), and Port 1080 (used by proxy servers)
  • Outbound messages (email, social media, instant messages, etc) that weren’t sent by the user
  • Problems with Internet access
4. Implement Deep Packet Inspection
 
Implementing Deep Packet Inspection (DPI) allows you to analyze encrypted traffic that’s being sent over your network. DPI allows you to take action against traffic by blocking, re-routing, or logging it. DPI can also be used to make sure data is formatted correctly, look for malicious code, or if someone is eavesdropping on your network traffic.
 
DPI benefits include:
  • Filter and analyze messages
  • Open and close ports
  • Perform in-line spam screening
  • Proxy your IM traffic
  • Perform SSL session inspections
  • Prevent security breaches

We’re big believers in not being able to manage what you don’t measure. By analyzing your network traffic you get a much better idea what’s going on day to day. DPI can help you accomplish that.

5. Enforce Application Control, limited to applications that are both known and sanctioned

Todays world is all about apps! I don’t mean appetizers (but if that’s where your first thought went I like where your head’s at). I mean applications. You can’t do anything with out ’em! They enable us.

But there are a lot of bad or questionable apps out there and it’s real easy to install them. By enforcing application control you can limit what gets installed on your endpoints to only what is known and what is sanctioned by you. You can implement application control rather easily by applying the principle of least privilege when assigning user rights.
 
Keep in mind that the average user doesn’t usually need to install any sort of application on their end-point to do their job. They should already have all the tools the need. Limiting their ability to do so from the get-go might be a solution you want to consider.

 

6. Install a next-generation end-point protection application on your end-points and configure it to block scripts
There are a lot of products out there to consider when it comes to protecting your end-points. We’d never shy away from our love of Cylance but we’ll be the first to admit they’re not the only game in town and there are a lot of solutions out there that would probably work for you. What matters is you pick something and install it.

One of the biggest threats to an organization, in general, is malware infestation. A next-generation end-point protection tool with script blocking configured can do a lot to stop your town from falling victim to a would-be attacker and meeting a similar fate to the towns we listed above.
 
7. Educate your end-users so they become more security-minded; start by enabling external email identification notifications

I personally am a big believer in the idea that the best way to protect yourself from something is to know as much as you can about it. If malware is as much a threat to municipalities as it appears to be (and it is) the best way to avoid an infestation is to not only educate yourself regarding the matter but the other people in the organization as well.

Yes, a next-generation end-point protection product can help you avoid such an awful fait, but it’s much better to be proactive than reactive and a great way to do that is via security awareness training for your end-users.

Another way to accomplish this is to set up external email notifications that remind people not to do things like download and open attachments from people you don’t know. External email notifications are exceptionally easy to set up and implement (as you can see in this article: https://www.securit360.com/blog/configure-warning-messages-office-365-emails-external-senders/)

Like our blog? Subscribe using the CTA in the upper right hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don’t forget to follow us on LinkedIn and Twitter

 

Carl Keyser is the Content Manager at Integris.

Keep reading

Bridging the Gap between Automation and Innovation

Bridging the Gap between Automation and Innovation

Automation and Innovation. Some people might say those two words cancel each other out. Yet, I believe these two concepts can create capacity for each other—if your business leverages the free time automation creates to foster innovation. Automation can be...

Why Is My Laptop Draining So Fast?

Why Is My Laptop Draining So Fast?

Before You Replace Your Laptop Battery, Try These Fixes First Stuck with a laptop that’s running out way before it’s standard 8-10 hours of run time? Don't throw it out just yet.  Try these quick fixes to extend its life: Reduce your screen brightness If possible,...