A major malware campaign has been detected by Microsoft, targeting government, non-profit, and IT organizations across Ukraine. The threat actors are deploying a wiper malware that seems to be functioning like a ransomware. The revelations follow the defacements of multiple Ukrainian websites. 

The attacks

The attacks started on January 13 - around the same time when more than 70 government websites were defaced by gangs reportedly linked to Russian secret services. Nevertheless, Microsoft has not discovered any association between the malware and the website defacement attacks. 
  • The websites hacked include those of the Ministry of Foreign Affairs, the Ministry of Education and Science, and others. 
  • The hackers posted provocative messages on the main pages of the sites. However, CERT-UA stated that the contents of the websites were not changed and no leakage of personal information has occurred. 
  • It is posited that the attackers exploited the CVE-2021-32648 vulnerability in October CMS to reset passwords of administrator accounts. 

The malware operation

The malware belongs to the WhisperGate family and is designed to look like ransomware but lacks a ransom recovery process. Microsoft has found it on dozens of systems but surmises that it may have been distributed wider. 
  • It is a two-stage wiper that overwrites the Master Boot Record (MBR) on victim systems with a ransom note that includes a Bitcoin wallet and Tox ID. 
  • The second stage malware is hosted on Discord and can locate certain file extensions, overwrite the content, and rename the file with a random four-byte extension. 

Why this matters

The usage of wiper malware signifies that the threat actors are not looking for financial gain but are aiming to disrupt the target's operations. Overwriting the MBR yields the system unbootable - making recovery impossible. This is especially the case when the malware overwrites file contents before overwriting MBR. researchers suspect that the ransom note serves as a diversion from the attacker’s true intentions. 

The bottom line

Microsoft is working to build and implement detections for these attacks. It has also provided some mitigations to deal with the techniques used by the threat actor. Some of them include using the IoCs to detect if a system is infected and reviewing all authentication methods for any suspicious remote access activity. 

Cyware Publisher

Publisher

Cyware