SYMBOLCOMMON_NAMEaka. SYNONYMS
win.whispergate (Back to overview)

WhisperGate

aka: PAYWIPE

Destructive malware deployed against targets in Ukraine in January 2022.

References
2023-06-14MicrosoftMicrosoft Threat Intelligence
@online{intelligence:20230614:cadet:c02303d, author = {Microsoft Threat Intelligence}, title = {{Cadet Blizzard emerges as a novel and distinct Russian threat actor}}, date = {2023-06-14}, organization = {Microsoft}, url = {https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/}, language = {English}, urldate = {2023-07-11} } Cadet Blizzard emerges as a novel and distinct Russian threat actor
p0wnyshell reGeorg WhisperGate
2023-04-18MandiantMandiant
@online{mandiant:20230418:mtrends:af1a28e, author = {Mandiant}, title = {{M-Trends 2023}}, date = {2023-04-18}, organization = {Mandiant}, url = {https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023}, language = {English}, urldate = {2023-04-18} } M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-15MicrosoftMicrosoft Threat Intelligence
@techreport{intelligence:20230315:year:01e29b1, author = {Microsoft Threat Intelligence}, title = {{A year of Russian hybrid warfare in Ukraine}}, date = {2023-03-15}, institution = {Microsoft}, url = {https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf}, language = {English}, urldate = {2023-04-25} } A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
@techreport{group:20230215:fog:0d99aaa, author = {Google Threat Analysis Group and Mandiant}, title = {{Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape}}, date = {2023-02-15}, institution = {Google}, url = {https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf}, language = {English}, urldate = {2023-03-13} } Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
@online{adamov:20221024:russian:97d3e2a, author = {Alexander Adamov}, title = {{Russian wipers in the cyberwar against Ukraine}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=mrTdSdMMgnk}, language = {English}, urldate = {2023-03-20} } Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-09-26CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220926:anatomy:248e6ff, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}}, date = {2022-09-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/}, language = {English}, urldate = {2022-09-29} } The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-08-12CrowdStrikeIoan Iacob, Iulian Madalin Ionita
@online{iacob:20220812:anatomy:b13ce32, author = {Ioan Iacob and Iulian Madalin Ionita}, title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}}, date = {2022-08-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/}, language = {English}, urldate = {2023-01-19} } The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:ruinous:c0bf32d, author = {Unit 42}, title = {{Ruinous Ursa}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/ruinousursa/}, language = {English}, urldate = {2022-07-25} } Ruinous Ursa
WhisperGate DEV-0586
2022-06-06TrellixTrelix
@online{trelix:20220606:growling:14f9f75, author = {Trelix}, title = {{Growling Bears Make Thunderous Noise}}, date = {2022-06-06}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html}, language = {English}, urldate = {2022-06-08} } Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate NB65
2022-06-02EclypsiumEclypsium
@online{eclypsium:20220602:conti:abb9754, author = {Eclypsium}, title = {{Conti Targets Critical Firmware}}, date = {2022-06-02}, organization = {Eclypsium}, url = {https://eclypsium.com/2022/06/02/conti-targets-critical-firmware/}, language = {English}, urldate = {2022-06-04} } Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:ecf311c, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord (PureCrypter)}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord}, language = {English}, urldate = {2022-06-09} } .NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220519:net:64662b5, author = {The BlackBerry Research & Intelligence Team}, title = {{.NET Stubs: Sowing the Seeds of Discord}}, date = {2022-05-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord?}, language = {English}, urldate = {2022-05-23} } .NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-27MicrosoftMicrosoft Digital Security Unit (DSU)
@online{dsu:20220427:special:f1a2031, author = {Microsoft Digital Security Unit (DSU)}, title = {{Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine}}, date = {2022-04-27}, organization = {Microsoft}, url = {https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd}, language = {English}, urldate = {2022-05-03} } Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate
2022-04-07InQuestWill MacArthur, Nick Chalard
@online{macarthur:20220407:ukraine:99bef5a, author = {Will MacArthur and Nick Chalard}, title = {{Ukraine CyberWar Overview}}, date = {2022-04-07}, organization = {InQuest}, url = {https://inquest.net/blog/2022/04/07/ukraine-cyberwar-overview}, language = {English}, urldate = {2022-04-29} } Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate
2022-03-30CrowdStrikeCrowdStrike Threat Intel Team
@online{team:20220330:who:f73e255, author = {CrowdStrike Threat Intel Team}, title = {{Who is EMBER BEAR?}}, date = {2022-03-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/who-is-ember-bear/}, language = {English}, urldate = {2022-03-31} } Who is EMBER BEAR?
WhisperGate
2022-03-14KasperskyGReAT
@online{great:20220314:webinar:f6bfb3c, author = {GReAT}, title = {{Webinar on cyberattacks in Ukraine – summary and Q&A}}, date = {2022-03-14}, organization = {Kaspersky}, url = {https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/}, language = {English}, urldate = {2022-04-05} } Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-11BitdefenderRadu Crahmaliuc
@online{crahmaliuc:20220311:five:9ba5aa0, author = {Radu Crahmaliuc}, title = {{Five Things You Need to Know About the Cyberwar in Ukraine}}, date = {2022-03-11}, organization = {Bitdefender}, url = {https://www.bitdefender.com/blog/hotforsecurity/five-things-you-need-to-know-about-the-cyberwar-in-ukraine/}, language = {English}, urldate = {2022-03-31} } Five Things You Need to Know About the Cyberwar in Ukraine
HermeticWiper WhisperGate
2022-03-10BrightTALK (Kaspersky GReAT)Costin Raiu, Marco Preuss, Kurt Baumgartner, Dan Demeter, Ivan Kwiatkowski
@online{raiu:20220310:brighttalk:a3d9072, author = {Costin Raiu and Marco Preuss and Kurt Baumgartner and Dan Demeter and Ivan Kwiatkowski}, title = {{BrightTALK: A look at current cyberattacks in Ukraine}}, date = {2022-03-10}, organization = {BrightTALK (Kaspersky GReAT)}, url = {https://www.brighttalk.com/webcast/15591/534324}, language = {English}, urldate = {2022-04-05} } BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate
2022-03-04MandiantJames Sadowski, Ryan Hall
@online{sadowski:20220304:responses:0b94dae, author = {James Sadowski and Ryan Hall}, title = {{Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation}}, date = {2022-03-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation}, language = {English}, urldate = {2022-03-07} } Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
HermeticWiper PartyTicket WhisperGate
2022-03-03Trend MicroTrend Micro Research
@techreport{research:20220303:ioc:216aad3, author = {Trend Micro Research}, title = {{IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks}}, date = {2022-03-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf}, language = {English}, urldate = {2022-03-04} } IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate
2022-03-03Trend MicroTrend Micro Research
@online{research:20220303:cyberattacks:d961eb0, author = {Trend Micro Research}, title = {{Cyberattacks are Prominent in the Russia-Ukraine Conflict}}, date = {2022-03-03}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html}, language = {English}, urldate = {2022-03-04} } Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate
2022-03-03LIFARSLIFARS
@online{lifars:20220303:closer:f29cc25, author = {LIFARS}, title = {{A Closer Look at the Russian Actors Targeting Organizations in Ukraine}}, date = {2022-03-03}, organization = {LIFARS}, url = {https://lifars.com/2022/03/a-closer-look-at-the-russian-actors-targeting-organizations-in-ukraine/}, language = {English}, urldate = {2022-03-04} } A Closer Look at the Russian Actors Targeting Organizations in Ukraine
HermeticWiper IsaacWiper Saint Bot WhisperGate
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:8ef46fd, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine}, language = {English}, urldate = {2022-03-07} } Cyber threat activity in Ukraine: analysis and resources
HermeticWiper IsaacWiper PartyTicket WhisperGate
2022-02-28MicrosoftMSRC Team
@online{team:20220228:cyber:69efe8b, author = {MSRC Team}, title = {{Cyber threat activity in Ukraine: analysis and resources}}, date = {2022-02-28}, organization = {Microsoft}, url = {https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/}, language = {English}, urldate = {2022-07-25} } Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586
2022-02-26CISACISA, FBI
@techreport{cisa:20220226:destructive:be5862b, author = {CISA and FBI}, title = {{Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-057A_Destructive_Malware_Targeting_Organizations_in_Ukraine.pdf}, language = {English}, urldate = {2022-03-01} } Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-26CISA
@online{cisa:20220226:alert:48440b6, author = {CISA}, title = {{Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine}}, date = {2022-02-26}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-057a}, language = {English}, urldate = {2022-03-01} } Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate
2022-02-25CyberPeace Institute
@online{institute:20220225:ukraine:eb66e34, author = {CyberPeace Institute}, title = {{UKRAINE: Timeline of Cyberattacks}}, date = {2022-02-25}, url = {https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks}, language = {English}, urldate = {2022-03-01} } UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate
2022-02-25The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220225:putin:09a1fea, author = {Ravie Lakshmanan}, title = {{Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks}}, date = {2022-02-25}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/putin-warns-russian-critical.html}, language = {English}, urldate = {2022-03-01} } Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks
HermeticWiper WhisperGate
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-23The RecordCatalin Cimpanu
@online{cimpanu:20220223:second:960453d, author = {Catalin Cimpanu}, title = {{Second data wiper attack hits Ukraine computer networks}}, date = {2022-02-23}, organization = {The Record}, url = {https://therecord.media/second-data-wiper-attack-hits-ukraine-computer-networks/}, language = {English}, urldate = {2022-03-01} } Second data wiper attack hits Ukraine computer networks
HermeticWiper WhisperGate
2022-02-15Intel 471Intel 471
@online{471:20220215:how:c105692, author = {Intel 471}, title = {{How the Russia-Ukraine conflict is impacting cybercrime}}, date = {2022-02-15}, organization = {Intel 471}, url = {https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground}, language = {English}, urldate = {2022-02-17} } How the Russia-Ukraine conflict is impacting cybercrime
WhisperGate
2022-02-10InQuestJosiah Smith
@online{smith:20220210:380glowspark:6e3a6c6, author = {Josiah Smith}, title = {{+380-GlowSpark}}, date = {2022-02-10}, organization = {InQuest}, url = {https://inquest.net/blog/2022/02/10/380-glowspark}, language = {English}, urldate = {2022-02-17} } +380-GlowSpark
GlowSpark WhisperGate
2022-02-03BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220203:threat:0ee1428, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine}}, date = {2022-02-03}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/02/threat-spotlight-whispergate-wiper-wreaks-havoc-in-ukraine}, language = {English}, urldate = {2022-03-02} } Threat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine
WhisperGate
2022-02-03YouTube (Malfind Labs)Lasq
@online{lasq:20220203:analyzing:7e58c93, author = {Lasq}, title = {{Analyzing WhisperGate - destructive malware targeting Ukraine - part 1}}, date = {2022-02-03}, organization = {YouTube (Malfind Labs)}, url = {https://www.youtube.com/watch?v=Ek3URIaC5O8}, language = {English}, urldate = {2022-02-07} } Analyzing WhisperGate - destructive malware targeting Ukraine - part 1
WhisperGate
2022-02-01Max Kersten's BlogMax Kersten
@online{kersten:20220201:dumping:2784605, author = {Max Kersten}, title = {{Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader}}, date = {2022-02-01}, organization = {Max Kersten's Blog}, url = {https://maxkersten.nl/binary-analysis-course/malware-analysis/dumping-whispergates-wiper-from-an-eazfuscator-obfuscated-loader/}, language = {English}, urldate = {2022-02-02} } Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader
WhisperGate
2022-02-01Cyborg SecurityBrandon Denker
@techreport{denker:20220201:whispergate:1eca84b, author = {Brandon Denker}, title = {{WhisperGate Malware - Update}}, date = {2022-02-01}, institution = {Cyborg Security}, url = {https://info.cyborgsecurity.com/hubfs/Emerging%20Threats/WhisperGate%20Malware%20Update%20-%20Emerging%20Threat.pdf}, language = {English}, urldate = {2022-02-10} } WhisperGate Malware - Update
WhisperGate
2022-01-31CrowdStrikeSarang Sonawane, Liviu Arsene
@online{sonawane:20220131:crowdstrike:1fd4945, author = {Sarang Sonawane and Liviu Arsene}, title = {{CrowdStrike Falcon Proactively Protects Against Wiper Malware as CISA Warns U.S. Companies of Potential Attacks}}, date = {2022-01-31}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-crowdstrike-protects-against-data-wiping-malware/}, language = {English}, urldate = {2022-02-02} } CrowdStrike Falcon Proactively Protects Against Wiper Malware as CISA Warns U.S. Companies of Potential Attacks
WhisperGate
2022-01-28CrowdStrikeCrowdStrike Intelligence Team
@online{team:20220128:lessons:fc2d4c6, author = {CrowdStrike Intelligence Team}, title = {{Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next}}, date = {2022-01-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/lessons-from-past-cyber-operations-against-ukraine/}, language = {English}, urldate = {2022-02-01} } Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next
WhisperGate
2022-01-28Recorded FutureInsikt Group®
@online{group:20220128:whispergate:304e5df, author = {Insikt Group®}, title = {{WhisperGate Malware Corrupts Computers in Ukraine}}, date = {2022-01-28}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine/}, language = {English}, urldate = {2022-02-04} } WhisperGate Malware Corrupts Computers in Ukraine
WhisperGate
2022-01-27splunkSplunk Threat Research Team
@online{team:20220127:threat:6829079, author = {Splunk Threat Research Team}, title = {{Threat Advisory: STRT-TA02 - Destructive Software}}, date = {2022-01-27}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html?splunk}, language = {English}, urldate = {2022-02-02} } Threat Advisory: STRT-TA02 - Destructive Software
WhisperGate
2022-01-27splunkSplunk Threat Research Team
@online{team:20220127:threat:ea9f405, author = {Splunk Threat Research Team}, title = {{Threat Advisory: STRT-TA02 - Destructive Software}}, date = {2022-01-27}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html}, language = {English}, urldate = {2022-02-01} } Threat Advisory: STRT-TA02 - Destructive Software
WhisperGate
2022-01-27GigamonJoe Slowik
@online{slowik:20220127:focusing:5b47208, author = {Joe Slowik}, title = {{Focusing on “Left of Boom”}}, date = {2022-01-27}, organization = {Gigamon}, url = {https://blog.gigamon.com/2022/01/28/focusing-on-left-of-boom/}, language = {English}, urldate = {2022-02-02} } Focusing on “Left of Boom”
WhisperGate
2022-01-27Recorded FutureJohn Wetzel
@techreport{wetzel:20220127:russias:e336cc8, author = {John Wetzel}, title = {{Russia’s Biggest Threat Is Its Instability}}, date = {2022-01-27}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/pov-2022-0127.pdf}, language = {English}, urldate = {2022-02-04} } Russia’s Biggest Threat Is Its Instability
WhisperGate
2022-01-27BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220127:threat:68af23b, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: WhisperGate Wiper Targets Government, Non-profit, and IT Organizations in Ukraine}}, date = {2022-01-27}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper}, language = {English}, urldate = {2022-02-01} } Threat Thursday: WhisperGate Wiper Targets Government, Non-profit, and IT Organizations in Ukraine
WhisperGate
2022-01-26Cert-UACert-UA
@online{certua:20220126:fragment:f64191e, author = {Cert-UA}, title = {{Fragment of cyberattack research 14.01.2022}}, date = {2022-01-26}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/18101}, language = {Ukrainian}, urldate = {2022-01-28} } Fragment of cyberattack research 14.01.2022
WhisperGate
2022-01-26NetskopeGustavo Palazolo
@online{palazolo:20220126:netskope:8a29793, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: WhisperGate}}, date = {2022-01-26}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-whispergate}, language = {English}, urldate = {2022-01-31} } Netskope Threat Coverage: WhisperGate
WhisperGate
2022-01-22csirt-moncsirt-mon
@online{csirtmon:20220122:analysis:25ca045, author = {csirt-mon}, title = {{Analysis of the Cyberattack on Ukrainian Government Resources}}, date = {2022-01-22}, organization = {csirt-mon}, url = {https://csirt-mon.wp.mil.pl/pl/articles6-aktualnosci/analysis-cyberattack-ukrainian-government-resources/}, language = {English}, urldate = {2022-01-28} } Analysis of the Cyberattack on Ukrainian Government Resources
WhisperGate
2022-01-21SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220121:disruptive:fff238c, author = {Counter Threat Unit ResearchTeam}, title = {{Disruptive Attacks in Ukraine Likely Linked to Escalating Tensions}}, date = {2022-01-21}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/disruptive-attacks-in-ukraine-likely-linked-to-escalating-tensions}, language = {English}, urldate = {2022-01-25} } Disruptive Attacks in Ukraine Likely Linked to Escalating Tensions
WhisperGate
2022-01-21SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220121:whispergate:bcdbf9d, author = {Counter Threat Unit ResearchTeam}, title = {{WhisperGate: Not NotPetya}}, date = {2022-01-21}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/whispergate-not-notpetya}, language = {English}, urldate = {2022-01-25} } WhisperGate: Not NotPetya
WhisperGate
2022-01-21Zero DayKim Zetter
@online{zetter:20220121:hackers:335d7dd, author = {Kim Zetter}, title = {{Hackers Were in Ukraine Systems Months Before Deploying Wiper}}, date = {2022-01-21}, organization = {Zero Day}, url = {https://zetter.substack.com/p/hackers-were-in-ukraine-systems-months}, language = {English}, urldate = {2022-01-25} } Hackers Were in Ukraine Systems Months Before Deploying Wiper
WhisperGate
2022-01-21Talos IntelligenceNick Biasini, Michael Chen, Chris Neal, Matt Olney, Dmytro Korzhevin
@online{biasini:20220121:ukraine:e0da072, author = {Nick Biasini and Michael Chen and Chris Neal and Matt Olney and Dmytro Korzhevin}, title = {{Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation}}, date = {2022-01-21}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html}, language = {English}, urldate = {2022-01-25} } Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation
WhisperGate
2022-01-21Github (OALabs)OALabs
@online{oalabs:20220121:whispergate:e235152, author = {OALabs}, title = {{WhisperGate Malware}}, date = {2022-01-21}, organization = {Github (OALabs)}, url = {https://github.com/OALabs/Lab-Notes/blob/main/WhisperGate/WhisperGate.ipynb}, language = {English}, urldate = {2022-01-25} } WhisperGate Malware
WhisperGate
2022-01-20LIFARSVlad Pasca
@online{pasca:20220120:detailed:87c1f12, author = {Vlad Pasca}, title = {{A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations}}, date = {2022-01-20}, organization = {LIFARS}, url = {https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-01-24} } A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations
WhisperGate
2022-01-20Palo Alto Networks Unit 42Robert Falcone, Mike Harbison, Josh Grunzweig
@online{falcone:20220120:threat:4aad471, author = {Robert Falcone and Mike Harbison and Josh Grunzweig}, title = {{Threat Brief: Ongoing Russia and Ukraine Cyber Conflict}}, date = {2022-01-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/}, language = {English}, urldate = {2022-01-24} } Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
WhisperGate
2022-01-20TrellixRaj Samani, Mo Cashman, Taylor Mullins
@online{samani:20220120:update:43f230d, author = {Raj Samani and Mo Cashman and Taylor Mullins}, title = {{Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update}}, date = {2022-01-20}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/update-on-whispergate-destructive-malware-targeting-ukraine.html}, language = {English}, urldate = {2022-01-25} } Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update
WhisperGate
2022-01-20TrellixChristiaan Beek, Max Kersten, Raj Samani
@online{beek:20220120:return:a89bce6, author = {Christiaan Beek and Max Kersten and Raj Samani}, title = {{Return of Pseudo Ransomware}}, date = {2022-01-20}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/return-of-pseudo-ransomware.html}, language = {English}, urldate = {2022-01-24} } Return of Pseudo Ransomware
WhisperGate
2022-01-20Twitter (@nunohaien)Tillmann Werner
@online{werner:20220120:key:d2605ca, author = {Tillmann Werner}, title = {{Tweet on key points of Whispergate wiper}}, date = {2022-01-20}, organization = {Twitter (@nunohaien)}, url = {https://twitter.com/nunohaien/status/1484088885575622657}, language = {English}, urldate = {2022-01-24} } Tweet on key points of Whispergate wiper
WhisperGate
2022-01-19ElasticDaniel Stepanic, Samir Bousseaden, James Spiteri, Joe Desimone, Mark Mager, Andrew Pease
@online{stepanic:20220119:operation:c81f473, author = {Daniel Stepanic and Samir Bousseaden and James Spiteri and Joe Desimone and Mark Mager and Andrew Pease}, title = {{Operation Bleeding Bear}}, date = {2022-01-19}, organization = {Elastic}, url = {https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/}, language = {English}, urldate = {2022-01-24} } Operation Bleeding Bear
WhisperGate
2022-01-19CrowdStrikeCrowdStrike Intelligence Team
@online{team:20220119:technical:8a81c7e, author = {CrowdStrike Intelligence Team}, title = {{Technical Analysis of the WhisperGate Malicious Bootloader}}, date = {2022-01-19}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/technical-analysis-of-whispergate-malware/}, language = {English}, urldate = {2022-01-20} } Technical Analysis of the WhisperGate Malicious Bootloader
WhisperGate
2022-01-19Youtube (HEXORCIST)Nicolas Brulez
@online{brulez:20220119:whispergate:a81ff16, author = {Nicolas Brulez}, title = {{WhisperGate: MBR Wiper Malware Analysis. Ukraine Cyber Attack 2022}}, date = {2022-01-19}, organization = {Youtube (HEXORCIST)}, url = {https://www.youtube.com/watch?v=2nd-f1dIfD4}, language = {English}, urldate = {2022-01-24} } WhisperGate: MBR Wiper Malware Analysis. Ukraine Cyber Attack 2022
WhisperGate
2022-01-19ElasticDaniel Stepanic, James Spiteri, Joe Desimone, Mark Mager, Andrew Pease
@online{stepanic:20220119:operation:95a5975, author = {Daniel Stepanic and James Spiteri and Joe Desimone and Mark Mager and Andrew Pease}, title = {{Operation Bleeding Bear}}, date = {2022-01-19}, organization = {Elastic}, url = {https://www.elastic.co/fr/security-labs/operation-bleeding-bear}, language = {English}, urldate = {2023-01-05} } Operation Bleeding Bear
WhisperGate
2022-01-19rxOred's blogrxored
@online{rxored:20220119:whispergate:39880e3, author = {rxored}, title = {{WhisperGate}}, date = {2022-01-19}, organization = {rxOred's blog}, url = {https://rxored.github.io/post/analysis/whispergate/whispergate/}, language = {English}, urldate = {2022-01-24} } WhisperGate
WhisperGate
2022-01-18StairwellSilas Cutler
@online{cutler:20220118:whispers:c986974, author = {Silas Cutler}, title = {{Whispers in the noise}}, date = {2022-01-18}, organization = {Stairwell}, url = {https://stairwell.com/news/whispers-in-the-noise-microsoft-ukraine-whispergate/}, language = {English}, urldate = {2022-01-19} } Whispers in the noise
WhisperGate
2022-01-18MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20220118:evolved:87fc647, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA}}, date = {2022-01-18}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/}, language = {English}, urldate = {2022-01-31} } Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA
WhisperGate
2022-01-18S2W Inc.BLKSMTH
@online{blksmth:20220118:analysis:f6d259e, author = {BLKSMTH}, title = {{Analysis of Destructive Malware (WhisperGate) targeting Ukraine}}, date = {2022-01-18}, organization = {S2W Inc.}, url = {https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3}, language = {English}, urldate = {2022-01-19} } Analysis of Destructive Malware (WhisperGate) targeting Ukraine
WhisperGate
2022-01-18zetter substackKim Zetter
@online{zetter:20220118:dozens:55ba77a, author = {Kim Zetter}, title = {{Dozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack}}, date = {2022-01-18}, organization = {zetter substack}, url = {https://zetter.substack.com/p/dozens-of-computers-in-ukraine-wiped}, language = {English}, urldate = {2022-01-24} } Dozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack
WhisperGate
2022-01-18Twitter (@knight0x07)neeraj
@online{neeraj:20220118:thread:f5c7756, author = {neeraj}, title = {{Thread on yet another comprehensive analysis of WHISPERGATE}}, date = {2022-01-18}, organization = {Twitter (@knight0x07)}, url = {https://twitter.com/knight0x07/status/1483401072102502400}, language = {English}, urldate = {2022-01-31} } Thread on yet another comprehensive analysis of WHISPERGATE
WhisperGate
2022-01-17Twitter (@HuskyHacksMK)Matt | HuskyHacks
@online{huskyhacks:20220117:whispergate:8223b85, author = {Matt | HuskyHacks}, title = {{WhisperGate Wiper Malware Analysis Live Thread}}, date = {2022-01-17}, organization = {Twitter (@HuskyHacksMK)}, url = {https://twitter.com/HuskyHacksMK/status/1482876242047258628}, language = {English}, urldate = {2022-01-25} } WhisperGate Wiper Malware Analysis Live Thread
WhisperGate
2022-01-17Cado SecurityCado Security
@online{security:20220117:resources:a47b0a6, author = {Cado Security}, title = {{Resources for DFIR Professionals Responding to WhisperGate Malware}}, date = {2022-01-17}, organization = {Cado Security}, url = {https://www.cadosecurity.com/resources-for-dfir-professionals-responding-to-whispergate-malware/}, language = {English}, urldate = {2022-01-18} } Resources for DFIR Professionals Responding to WhisperGate Malware
WhisperGate
2022-01-17Twitter (@Libranalysis)Max Kersten
@online{kersten:20220117:short:d913f54, author = {Max Kersten}, title = {{Tweet on short analysis of WHISPERGATE stage 3 malware}}, date = {2022-01-17}, organization = {Twitter (@Libranalysis)}, url = {https://twitter.com/Libranalysis/status/1483128221956808704}, language = {English}, urldate = {2022-01-25} } Tweet on short analysis of WHISPERGATE stage 3 malware
WhisperGate
2022-01-17Github (Dump-GUY)Jiří Vinopal
@online{vinopal:20220117:debugging:d4899ec, author = {Jiří Vinopal}, title = {{Debugging MBR - IDA + Bochs Emulator (CTF example)}}, date = {2022-01-17}, organization = {Github (Dump-GUY)}, url = {https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator/Debugging%20MBR%20-%20IDA%20+%20Bochs%20Emulator.md}, language = {English}, urldate = {2022-01-24} } Debugging MBR - IDA + Bochs Emulator (CTF example)
WhisperGate
2022-01-15MicrosoftTom Burt
@online{burt:20220115:malware:5f4e2d4, author = {Tom Burt}, title = {{Malware attacks targeting Ukraine government (DEV-0586)}}, date = {2022-01-15}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/}, language = {English}, urldate = {2022-04-15} } Malware attacks targeting Ukraine government (DEV-0586)
WhisperGate
2022-01-15MicrosoftMicrosoft, Microsoft Security Intelligence, Microsoft Digital Security Unit (DSU), Microsoft Detection and Response Team (DART), Microsoft 365 Defender Threat Intelligence Team
@online{microsoft:20220115:destructive:77ac2f5, author = {Microsoft and Microsoft Security Intelligence and Microsoft Digital Security Unit (DSU) and Microsoft Detection and Response Team (DART) and Microsoft 365 Defender Threat Intelligence Team}, title = {{Destructive malware targeting Ukrainian organizations (DEV-0586)}}, date = {2022-01-15}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/}, language = {English}, urldate = {2022-01-18} } Destructive malware targeting Ukrainian organizations (DEV-0586)
WhisperGate DEV-0586
Yara Rules
[TLP:WHITE] win_whispergate_auto (20230808 | Detects win.whispergate.)
rule win_whispergate_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.whispergate."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89d0 80f92f 0f846b060000 80f95c 0f8462060000 8d50ff }
            // n = 6, score = 300
            //   89d0                 | mov                 eax, edx
            //   80f92f               | cmp                 cl, 0x2f
            //   0f846b060000         | je                  0x671
            //   80f95c               | cmp                 cl, 0x5c
            //   0f8462060000         | je                  0x668
            //   8d50ff               | lea                 edx, [eax - 1]

        $sequence_1 = { 0f8409010000 83fb2f 0f8400010000 83fb5c }
            // n = 4, score = 300
            //   0f8409010000         | je                  0x10f
            //   83fb2f               | cmp                 ebx, 0x2f
            //   0f8400010000         | je                  0x106
            //   83fb5c               | cmp                 ebx, 0x5c

        $sequence_2 = { f6044840 0f8448ffffff 397dcc 7275 8b45d0 85c0 756e }
            // n = 7, score = 300
            //   f6044840             | test                byte ptr [eax + ecx*2], 0x40
            //   0f8448ffffff         | je                  0xffffff4e
            //   397dcc               | cmp                 dword ptr [ebp - 0x34], edi
            //   7275                 | jb                  0x77
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   85c0                 | test                eax, eax
            //   756e                 | jne                 0x70

        $sequence_3 = { 53 31c0 0fa2 85c0 0f84db000000 }
            // n = 5, score = 300
            //   53                   | push                ebx
            //   31c0                 | xor                 eax, eax
            //   0fa2                 | cpuid               
            //   85c0                 | test                eax, eax
            //   0f84db000000         | je                  0xe1

        $sequence_4 = { 85ed 75d3 8b542420 8b742424 }
            // n = 4, score = 300
            //   85ed                 | test                ebp, ebp
            //   75d3                 | jne                 0xffffffd5
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]
            //   8b742424             | mov                 esi, dword ptr [esp + 0x24]

        $sequence_5 = { 55 57 56 53 81ec2c010000 8b842440010000 85c0 }
            // n = 7, score = 300
            //   55                   | push                ebp
            //   57                   | push                edi
            //   56                   | push                esi
            //   53                   | push                ebx
            //   81ec2c010000         | sub                 esp, 0x12c
            //   8b842440010000       | mov                 eax, dword ptr [esp + 0x140]
            //   85c0                 | test                eax, eax

        $sequence_6 = { 75e8 890424 e8???????? 89c7 8b44241c }
            // n = 5, score = 300
            //   75e8                 | jne                 0xffffffea
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   89c7                 | mov                 edi, eax
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]

        $sequence_7 = { 56 53 83ec10 8b742420 813e???????? 740e }
            // n = 6, score = 300
            //   56                   | push                esi
            //   53                   | push                ebx
            //   83ec10               | sub                 esp, 0x10
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   813e????????         |                     
            //   740e                 | je                  0x10

        $sequence_8 = { e9???????? 837dd427 0f84e4000000 83c001 }
            // n = 4, score = 300
            //   e9????????           |                     
            //   837dd427             | cmp                 dword ptr [ebp - 0x2c], 0x27
            //   0f84e4000000         | je                  0xea
            //   83c001               | add                 eax, 1

        $sequence_9 = { 83c001 85c9 751e 83fa2a 7444 83fa3f 743f }
            // n = 7, score = 300
            //   83c001               | add                 eax, 1
            //   85c9                 | test                ecx, ecx
            //   751e                 | jne                 0x20
            //   83fa2a               | cmp                 edx, 0x2a
            //   7444                 | je                  0x46
            //   83fa3f               | cmp                 edx, 0x3f
            //   743f                 | je                  0x41

    condition:
        7 of them and filesize < 114688
}
Download all Yara Rules