SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whispergate (Back to overview)

WhisperGate

aka: PAYWIPE
VTCollection    

Destructive malware deployed against targets in Ukraine in January 2022.

References
2024-06-26US Department of JusticeOffice of Public Affairs
Russian National Charged for Conspiring with Russian Military Intelligence to Destroy Ukrainian Government Computer Systems and Data
WhisperGate
2023-06-14MicrosoftMicrosoft Threat Intelligence
Cadet Blizzard emerges as a novel and distinct Russian threat actor
p0wnyshell reGeorg WhisperGate DEV-0586 SaintBear
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-15MicrosoftMicrosoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-07-18Palo Alto Networks Unit 42Unit 42
Ruinous Ursa
WhisperGate DEV-0586
2022-06-06TrellixTrelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate NB65
2022-06-02EclypsiumEclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-04-28FortinetGergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-07InQuestNick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-30CrowdStrikeCrowdStrike Threat Intel Team
Who is EMBER BEAR?
WhisperGate
2022-03-14KasperskyGReAT
Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-11BitdefenderRadu Crahmaliuc
Five Things You Need to Know About the Cyberwar in Ukraine
HermeticWiper WhisperGate
2022-03-10BrightTALK (Kaspersky GReAT)Costin Raiu, Dan Demeter, Ivan Kwiatkowski, Kurt Baumgartner, Marco Preuss
BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-04MandiantJames Sadowski, Ryan Hall
Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
HermeticWiper PartyTicket WhisperGate
2022-03-03LIFARSLIFARS
A Closer Look at the Russian Actors Targeting Organizations in Ukraine
HermeticWiper IsaacWiper Saint Bot WhisperGate
2022-03-03Trend MicroTrend Micro Research
IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate
2022-03-03Trend MicroTrend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-02-28MicrosoftMSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
2022-02-28MicrosoftMSRC Team
Cyber threat activity in Ukraine: analysis and resources
HermeticWiper IsaacWiper PartyTicket WhisperGate
2022-02-26CISACISA, FBI
Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-26CISA
Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-25The Hacker NewsRavie Lakshmanan
Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks
HermeticWiper WhisperGate
2022-02-25CyberPeace Institute
UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate
2022-02-24TesorionTESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-24nvisoMichel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-23The RecordCatalin Cimpanu
Second data wiper attack hits Ukraine computer networks
HermeticWiper WhisperGate
2022-02-15Intel 471Intel 471
How the Russia-Ukraine conflict is impacting cybercrime
WhisperGate
2022-02-10InQuestJosiah Smith
+380-GlowSpark
GlowSpark WhisperGate
2022-02-03YouTube (Malfind Labs)Lasq
Analyzing WhisperGate - destructive malware targeting Ukraine - part 1
WhisperGate
2022-02-03BlackberryThe BlackBerry Research & Intelligence Team
Threat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine
WhisperGate
2022-02-01Cyborg SecurityBrandon Denker
WhisperGate Malware - Update
WhisperGate
2022-02-01Max Kersten's BlogMax Kersten
Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader
WhisperGate
2022-01-31CrowdStrikeLiviu Arsene, Sarang Sonawane
CrowdStrike Falcon Proactively Protects Against Wiper Malware as CISA Warns U.S. Companies of Potential Attacks
WhisperGate
2022-01-28Recorded FutureInsikt Group®
WhisperGate Malware Corrupts Computers in Ukraine
WhisperGate
2022-01-28CrowdStrikeCrowdStrike Intelligence Team
Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next
WhisperGate
2022-01-27BlackberryThe BlackBerry Research & Intelligence Team
Threat Thursday: WhisperGate Wiper Targets Government, Non-profit, and IT Organizations in Ukraine
WhisperGate
2022-01-27splunkSplunk Threat Research Team
Threat Advisory: STRT-TA02 - Destructive Software
WhisperGate
2022-01-27GigamonJoe Slowik
Focusing on “Left of Boom”
WhisperGate
2022-01-27splunkSplunk Threat Research Team
Threat Advisory: STRT-TA02 - Destructive Software
WhisperGate
2022-01-27Recorded FutureJohn Wetzel
Russia’s Biggest Threat Is Its Instability
WhisperGate
2022-01-26NetskopeGustavo Palazolo
Netskope Threat Coverage: WhisperGate
WhisperGate
2022-01-26Cert-UACert-UA
Fragment of cyberattack research 14.01.2022
WhisperGate
2022-01-22csirt-moncsirt-mon
Analysis of the Cyberattack on Ukrainian Government Resources
WhisperGate
2022-01-21Talos IntelligenceChris Neal, Dmytro Korzhevin, Matt Olney, Michael Chen, Nick Biasini
Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation
WhisperGate
2022-01-21Github (OALabs)OALabs
WhisperGate Malware
WhisperGate
2022-01-21Zero DayKim Zetter
Hackers Were in Ukraine Systems Months Before Deploying Wiper
WhisperGate
2022-01-21SecureworksCounter Threat Unit ResearchTeam
Disruptive Attacks in Ukraine Likely Linked to Escalating Tensions
WhisperGate
2022-01-21SecureworksCounter Threat Unit ResearchTeam
WhisperGate: Not NotPetya
WhisperGate
2022-01-20TrellixMo Cashman, Raj Samani, Taylor Mullins
Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update
WhisperGate
2022-01-20Palo Alto Networks Unit 42Josh Grunzweig, Mike Harbison, Robert Falcone
Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
WhisperGate
2022-01-20TrellixChristiaan Beek, Max Kersten, Raj Samani
Return of Pseudo Ransomware
WhisperGate
2022-01-20Twitter (@nunohaien)Tillmann Werner
Tweet on key points of Whispergate wiper
WhisperGate
2022-01-20LIFARSVlad Pasca
A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations
WhisperGate
2022-01-19CrowdStrikeCrowdStrike Intelligence Team
Technical Analysis of the WhisperGate Malicious Bootloader
WhisperGate
2022-01-19rxOred's blogrxored
WhisperGate
WhisperGate
2022-01-19ElasticAndrew Pease, Daniel Stepanic, James Spiteri, Joe Desimone, Mark Mager
Operation Bleeding Bear
WhisperGate
2022-01-19Youtube (HEXORCIST)Nicolas Brulez
WhisperGate: MBR Wiper Malware Analysis. Ukraine Cyber Attack 2022
WhisperGate
2022-01-19ElasticAndrew Pease, Daniel Stepanic, James Spiteri, Joe Desimone, Mark Mager, Samir Bousseaden
Operation Bleeding Bear
WhisperGate
2022-01-18StairwellSilas Cutler
Whispers in the noise
WhisperGate
2022-01-18S2W Inc.BLKSMTH
Analysis of Destructive Malware (WhisperGate) targeting Ukraine
WhisperGate
2022-01-18Twitter (@knight0x07)neeraj
Thread on yet another comprehensive analysis of WHISPERGATE
WhisperGate
2022-01-18MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA
WhisperGate
2022-01-18zetter substackKim Zetter
Dozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack
WhisperGate
2022-01-17Twitter (@HuskyHacksMK)Matt | HuskyHacks
WhisperGate Wiper Malware Analysis Live Thread
WhisperGate
2022-01-17Github (Dump-GUY)Jiří Vinopal
Debugging MBR - IDA + Bochs Emulator (CTF example)
WhisperGate
2022-01-17Cado SecurityCado Security
Resources for DFIR Professionals Responding to WhisperGate Malware
WhisperGate
2022-01-17Twitter (@Libranalysis)Max Kersten
Tweet on short analysis of WHISPERGATE stage 3 malware
WhisperGate
2022-01-15MicrosoftTom Burt
Malware attacks targeting Ukraine government (DEV-0586)
WhisperGate
2022-01-15MicrosoftMicrosoft, Microsoft 365 Defender Threat Intelligence Team, Microsoft Detection and Response Team (DART), Microsoft Digital Security Unit (DSU), Microsoft Security Intelligence
Destructive malware targeting Ukrainian organizations (DEV-0586)
WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_whispergate_auto (20241030 | Detects win.whispergate.)
rule win_whispergate_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.whispergate."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89442404 8b4208 890424 e8???????? 85c0 7426 8b4b04 }
            // n = 7, score = 300
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8b4208               | mov                 eax, dword ptr [edx + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   8b4b04               | mov                 ecx, dword ptr [ebx + 4]

        $sequence_1 = { 85d2 c7049100000000 75f2 31c0 }
            // n = 4, score = 300
            //   85d2                 | test                edx, edx
            //   c7049100000000       | mov                 dword ptr [ecx + edx*4], 0
            //   75f2                 | jne                 0xfffffff4
            //   31c0                 | xor                 eax, eax

        $sequence_2 = { 83c101 84c0 8842ff 75f0 8b4508 890424 8b75d0 }
            // n = 7, score = 300
            //   83c101               | add                 ecx, 1
            //   84c0                 | test                al, al
            //   8842ff               | mov                 byte ptr [edx - 1], al
            //   75f0                 | jne                 0xfffffff2
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   890424               | mov                 dword ptr [esp], eax
            //   8b75d0               | mov                 esi, dword ptr [ebp - 0x30]

        $sequence_3 = { e8???????? e9???????? c745c000000000 e9???????? 8903 8b5db8 85db }
            // n = 7, score = 300
            //   e8????????           |                     
            //   e9????????           |                     
            //   c745c000000000       | mov                 dword ptr [ebp - 0x40], 0
            //   e9????????           |                     
            //   8903                 | mov                 dword ptr [ebx], eax
            //   8b5db8               | mov                 ebx, dword ptr [ebp - 0x48]
            //   85db                 | test                ebx, ebx

        $sequence_4 = { 83c41c c3 c705????????ffffffff dbe3 }
            // n = 4, score = 300
            //   83c41c               | add                 esp, 0x1c
            //   c3                   | ret                 
            //   c705????????ffffffff     |     
            //   dbe3                 | fninit              

        $sequence_5 = { 784f 891c24 e8???????? 85f6 }
            // n = 4, score = 300
            //   784f                 | js                  0x51
            //   891c24               | mov                 dword ptr [esp], ebx
            //   e8????????           |                     
            //   85f6                 | test                esi, esi

        $sequence_6 = { c7042400000000 e8???????? 8d5001 89542404 }
            // n = 4, score = 300
            //   c7042400000000       | mov                 dword ptr [esp], 0
            //   e8????????           |                     
            //   8d5001               | lea                 edx, [eax + 1]
            //   89542404             | mov                 dword ptr [esp + 4], edx

        $sequence_7 = { 83ec0c 85c0 0f84a8000000 8b442438 }
            // n = 4, score = 300
            //   83ec0c               | sub                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f84a8000000         | je                  0xae
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]

        $sequence_8 = { c1e004 e8???????? 29c4 c745e400000000 c745d400000000 }
            // n = 5, score = 300
            //   c1e004               | shl                 eax, 4
            //   e8????????           |                     
            //   29c4                 | sub                 esp, eax
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   c745d400000000       | mov                 dword ptr [ebp - 0x2c], 0

        $sequence_9 = { 89de 8d44240c 89c7 8945c8 0fb603 3c7f 7428 }
            // n = 7, score = 300
            //   89de                 | mov                 esi, ebx
            //   8d44240c             | lea                 eax, [esp + 0xc]
            //   89c7                 | mov                 edi, eax
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   0fb603               | movzx               eax, byte ptr [ebx]
            //   3c7f                 | cmp                 al, 0x7f
            //   7428                 | je                  0x2a

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules