Microsoft’s security experts identified a novel malware campaign targeting several IT, non-profit, and government organizations based in Ukraine. Tracked as WhisperGate, the activities of the destructive malware campaign were first spotted on January 13. As per a report from Microsoft Threat Intelligence Center (MSTIC), the malware used by this campaign is designed to look like ransomware but lacks a ransom recovery mechanism. It’s found that the campaign is intended to compromise the targeted systems rather than to obtain a ransom.
“Our investigation teams have identified the malware on dozens of impacted systems, and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting,” MSTIC said.
While the attackers behind this malware campaign are unknown, Microsoft stated it had notified the affected users and organizations about WhisperGate.
WhisperGate Campaign Infection
The WhisperGate malware is capable of overwriting the Master Boot Record (MBR) on victim systems with a fake ransom note. The ransom note contains a Bitcoin wallet and Tox ID. The malware executes when the compromised device is powered down. Once infected, the malware resides in various working directories, including C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, and is often named stage1.exe.
“The malware executes when the associated device is powered down. Overwriting the MBR is atypical for cybercriminal ransomware. In reality, the ransomware note is a ruse, and the malware destructs MBR and the contents of the files it targets,” MSTIC added.
- Review all authentication activity for remote access infrastructure, focusing on accounts configured with single-factor authentication, to confirm the authenticity and investigate any abnormal activity.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and enforce MFA for remote connectivity.
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Enable Controlled Folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.