WhisperGate (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.whispergate (Back to overview)

WhisperGate

aka: PAYWIPE

VTCollection

Destructive malware deployed against targets in Ukraine in January 2022.

References

2023-06-14 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Cadet Blizzard emerges as a novel and distinct Russian threat actor
p0wnyshell reGeorg WhisperGate DEV-0586 SaintBear

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
A year of Russian hybrid warfare in Ukraine
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket SwiftSlicer WhisperGate

2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla

2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov
Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate

2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 3: Input/Output Controls
CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita
The Anatomy of Wiper Malware, Part 1: Common Techniques
Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Ruinous Ursa
WhisperGate DEV-0586

2022-06-06 ⋅ Trellix ⋅ Trelix
Growling Bears Make Thunderous Noise
Cobalt Strike HermeticWiper WhisperGate NB65

2022-06-02 ⋅ Eclypsium ⋅ Eclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate

2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord
Agent Tesla Quasar RAT WhisperGate

2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate

2022-04-28 ⋅ Fortinet ⋅ Gergely Revay
An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare

2022-04-27 ⋅ Microsoft ⋅ Microsoft Digital Security Unit (DSU)
Special Report: Ukraine An overview of Russia’s cyberattack activity in Ukraine
CaddyWiper DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate

2022-04-07 ⋅ InQuest ⋅ Nick Chalard, Will MacArthur
Ukraine CyberWar Overview
CyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket Saint Bot Scieron WhisperGate

2022-03-30 ⋅ CrowdStrike ⋅ CrowdStrike Threat Intel Team
Who is EMBER BEAR?
WhisperGate

2022-03-14 ⋅ Kaspersky ⋅ GReAT
Webinar on cyberattacks in Ukraine – summary and Q&A
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate

2022-03-11 ⋅ Bitdefender ⋅ Radu Crahmaliuc
Five Things You Need to Know About the Cyberwar in Ukraine
HermeticWiper WhisperGate

2022-03-10 ⋅ BrightTALK (Kaspersky GReAT) ⋅ Costin Raiu, Dan Demeter, Ivan Kwiatkowski, Kurt Baumgartner, Marco Preuss
BrightTALK: A look at current cyberattacks in Ukraine
HermeticWiper HermeticWizard IsaacWiper PartyTicket WhisperGate

2022-03-04 ⋅ Mandiant ⋅ James Sadowski, Ryan Hall
Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
HermeticWiper PartyTicket WhisperGate

2022-03-03 ⋅ LIFARS ⋅ LIFARS
A Closer Look at the Russian Actors Targeting Organizations in Ukraine
HermeticWiper IsaacWiper Saint Bot WhisperGate

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
Cyberattacks are Prominent in the Russia-Ukraine Conflict
BazarBackdoor Cobalt Strike Conti Emotet WhisperGate

2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research
IOC Resource for Russia-Ukraine Conflict-Related Cyberattacks
ClipBanker Conti HermeticWiper PartyTicket WhisperGate

2022-02-28 ⋅ Microsoft ⋅ MSRC Team
Cyber threat activity in Ukraine: analysis and resources
CaddyWiper DesertBlade DoubleZero HermeticWiper INDUSTROYER2 IsaacWiper PartyTicket WhisperGate DEV-0586

2022-02-28 ⋅ Microsoft ⋅ MSRC Team
Cyber threat activity in Ukraine: analysis and resources
HermeticWiper IsaacWiper PartyTicket WhisperGate

2022-02-26 ⋅ CISA ⋅ CISA, FBI
Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate

2022-02-26 ⋅ CISA
Alert (AA22-057A) Destructive Malware Targeting Organizations in Ukraine
HermeticWiper WhisperGate

2022-02-25 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Putin Warns Russian Critical Infrastructure to Brace for Potential Cyber Attacks
HermeticWiper WhisperGate

2022-02-25 ⋅ CyberPeace Institute
UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate

2022-02-24 ⋅ Tesorion ⋅ TESORION
Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate

2022-02-24 ⋅ nviso ⋅ Michel Coene
Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate

2022-02-23 ⋅ The Record ⋅ Catalin Cimpanu
Second data wiper attack hits Ukraine computer networks
HermeticWiper WhisperGate

2022-02-15 ⋅ Intel 471 ⋅ Intel 471
How the Russia-Ukraine conflict is impacting cybercrime
WhisperGate

2022-02-10 ⋅ InQuest ⋅ Josiah Smith
+380-GlowSpark
GlowSpark WhisperGate

2022-02-03 ⋅ YouTube (Malfind Labs) ⋅ Lasq
Analyzing WhisperGate - destructive malware targeting Ukraine - part 1
WhisperGate

2022-02-03 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Spotlight: WhisperGate Wiper Wreaks Havoc in Ukraine
WhisperGate

2022-02-01 ⋅ Cyborg Security ⋅ Brandon Denker
WhisperGate Malware - Update
WhisperGate

2022-02-01 ⋅ Max Kersten's Blog ⋅ Max Kersten
Dumping WhisperGate’s wiper from an Eazfuscator obfuscated loader
WhisperGate

2022-01-31 ⋅ CrowdStrike ⋅ Liviu Arsene, Sarang Sonawane
CrowdStrike Falcon Proactively Protects Against Wiper Malware as CISA Warns U.S. Companies of Potential Attacks
WhisperGate

2022-01-28 ⋅ Recorded Future ⋅ Insikt Group®
WhisperGate Malware Corrupts Computers in Ukraine
WhisperGate

2022-01-28 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Lessons Learned From Successive Use of Offensive Cyber Operations Against Ukraine and What May Be Next
WhisperGate

2022-01-27 ⋅ Recorded Future ⋅ John Wetzel
Russia’s Biggest Threat Is Its Instability
WhisperGate

2022-01-27 ⋅ splunk ⋅ Splunk Threat Research Team
Threat Advisory: STRT-TA02 - Destructive Software
WhisperGate

2022-01-27 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: WhisperGate Wiper Targets Government, Non-profit, and IT Organizations in Ukraine
WhisperGate

2022-01-27 ⋅ Gigamon ⋅ Joe Slowik
Focusing on “Left of Boom”
WhisperGate

2022-01-27 ⋅ splunk ⋅ Splunk Threat Research Team
Threat Advisory: STRT-TA02 - Destructive Software
WhisperGate

2022-01-26 ⋅ Netskope ⋅ Gustavo Palazolo
Netskope Threat Coverage: WhisperGate
WhisperGate

2022-01-26 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Fragment of cyberattack research 14.01.2022
WhisperGate

2022-01-22 ⋅ csirt-mon ⋅ csirt-mon
Analysis of the Cyberattack on Ukrainian Government Resources
WhisperGate

2022-01-21 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Disruptive Attacks in Ukraine Likely Linked to Escalating Tensions
WhisperGate

2022-01-21 ⋅ Github (OALabs) ⋅ OALabs
WhisperGate Malware
WhisperGate

2022-01-21 ⋅ Zero Day ⋅ Kim Zetter
Hackers Were in Ukraine Systems Months Before Deploying Wiper
WhisperGate

2022-01-21 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
WhisperGate: Not NotPetya
WhisperGate

2022-01-21 ⋅ Talos Intelligence ⋅ Chris Neal, Dmytro Korzhevin, Matt Olney, Michael Chen, Nick Biasini
Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation
WhisperGate

2022-01-20 ⋅ Trellix ⋅ Mo Cashman, Raj Samani, Taylor Mullins
Update on WhisperGate, Destructive Malware Targeting Ukraine – Threat Intelligence & Protections Update
WhisperGate

2022-01-20 ⋅ Palo Alto Networks Unit 42 ⋅ Josh Grunzweig, Mike Harbison, Robert Falcone
Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
WhisperGate

2022-01-20 ⋅ Trellix ⋅ Christiaan Beek, Max Kersten, Raj Samani
Return of Pseudo Ransomware
WhisperGate

2022-01-20 ⋅ Twitter (@nunohaien) ⋅ Tillmann Werner
Tweet on key points of Whispergate wiper
WhisperGate

2022-01-20 ⋅ LIFARS ⋅ Vlad Pasca
A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations
WhisperGate

2022-01-19 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Technical Analysis of the WhisperGate Malicious Bootloader
WhisperGate

2022-01-19 ⋅ rxOred's blog ⋅ rxored
WhisperGate
WhisperGate

2022-01-19 ⋅ Youtube (HEXORCIST) ⋅ Nicolas Brulez
WhisperGate: MBR Wiper Malware Analysis. Ukraine Cyber Attack 2022
WhisperGate

2022-01-19 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, James Spiteri, Joe Desimone, Mark Mager
Operation Bleeding Bear
WhisperGate

2022-01-19 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, James Spiteri, Joe Desimone, Mark Mager, Samir Bousseaden
Operation Bleeding Bear
WhisperGate

2022-01-18 ⋅ Stairwell ⋅ Silas Cutler
Whispers in the noise
WhisperGate

2022-01-18 ⋅ S2W Inc. ⋅ BLKSMTH
Analysis of Destructive Malware (WhisperGate) targeting Ukraine
WhisperGate

2022-01-18 ⋅ Twitter (@knight0x07) ⋅ neeraj
Thread on yet another comprehensive analysis of WHISPERGATE
WhisperGate

2022-01-18 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA
WhisperGate

2022-01-18 ⋅ zetter substack ⋅ Kim Zetter
Dozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack
WhisperGate

2022-01-17 ⋅ Twitter (@HuskyHacksMK) ⋅ Matt | HuskyHacks
WhisperGate Wiper Malware Analysis Live Thread
WhisperGate

2022-01-17 ⋅ Github (Dump-GUY) ⋅ Jiří Vinopal
Debugging MBR - IDA + Bochs Emulator (CTF example)
WhisperGate

2022-01-17 ⋅ Cado Security ⋅ Cado Security
Resources for DFIR Professionals Responding to WhisperGate Malware
WhisperGate

2022-01-17 ⋅ Twitter (@Libranalysis) ⋅ Max Kersten
Tweet on short analysis of WHISPERGATE stage 3 malware
WhisperGate

2022-01-15 ⋅ Microsoft ⋅ Tom Burt
Malware attacks targeting Ukraine government (DEV-0586)
WhisperGate

2022-01-15 ⋅ Microsoft ⋅ Microsoft, Microsoft 365 Defender Threat Intelligence Team, Microsoft Detection and Response Team (DART), Microsoft Digital Security Unit (DSU), Microsoft Security Intelligence
Destructive malware targeting Ukrainian organizations (DEV-0586)
WhisperGate DEV-0586

Yara Rules

[TLP:WHITE] win_whispergate_auto (20230808 | Detects win.whispergate.)

rule win_whispergate_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.whispergate."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.whispergate"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89d0 80f92f 0f846b060000 80f95c 0f8462060000 8d50ff }
            // n = 6, score = 300
            //   89d0                 | mov                 eax, edx
            //   80f92f               | cmp                 cl, 0x2f
            //   0f846b060000         | je                  0x671
            //   80f95c               | cmp                 cl, 0x5c
            //   0f8462060000         | je                  0x668
            //   8d50ff               | lea                 edx, [eax - 1]

        $sequence_1 = { 0f8409010000 83fb2f 0f8400010000 83fb5c }
            // n = 4, score = 300
            //   0f8409010000         | je                  0x10f
            //   83fb2f               | cmp                 ebx, 0x2f
            //   0f8400010000         | je                  0x106
            //   83fb5c               | cmp                 ebx, 0x5c

        $sequence_2 = { f6044840 0f8448ffffff 397dcc 7275 8b45d0 85c0 756e }
            // n = 7, score = 300
            //   f6044840             | test                byte ptr [eax + ecx*2], 0x40
            //   0f8448ffffff         | je                  0xffffff4e
            //   397dcc               | cmp                 dword ptr [ebp - 0x34], edi
            //   7275                 | jb                  0x77
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   85c0                 | test                eax, eax
            //   756e                 | jne                 0x70

        $sequence_3 = { 53 31c0 0fa2 85c0 0f84db000000 }
            // n = 5, score = 300
            //   53                   | push                ebx
            //   31c0                 | xor                 eax, eax
            //   0fa2                 | cpuid               
            //   85c0                 | test                eax, eax
            //   0f84db000000         | je                  0xe1

        $sequence_4 = { 85ed 75d3 8b542420 8b742424 }
            // n = 4, score = 300
            //   85ed                 | test                ebp, ebp
            //   75d3                 | jne                 0xffffffd5
            //   8b542420             | mov                 edx, dword ptr [esp + 0x20]
            //   8b742424             | mov                 esi, dword ptr [esp + 0x24]

        $sequence_5 = { 55 57 56 53 81ec2c010000 8b842440010000 85c0 }
            // n = 7, score = 300
            //   55                   | push                ebp
            //   57                   | push                edi
            //   56                   | push                esi
            //   53                   | push                ebx
            //   81ec2c010000         | sub                 esp, 0x12c
            //   8b842440010000       | mov                 eax, dword ptr [esp + 0x140]
            //   85c0                 | test                eax, eax

        $sequence_6 = { 75e8 890424 e8???????? 89c7 8b44241c }
            // n = 5, score = 300
            //   75e8                 | jne                 0xffffffea
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   89c7                 | mov                 edi, eax
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]

        $sequence_7 = { 56 53 83ec10 8b742420 813e???????? 740e }
            // n = 6, score = 300
            //   56                   | push                esi
            //   53                   | push                ebx
            //   83ec10               | sub                 esp, 0x10
            //   8b742420             | mov                 esi, dword ptr [esp + 0x20]
            //   813e????????         |                     
            //   740e                 | je                  0x10

        $sequence_8 = { e9???????? 837dd427 0f84e4000000 83c001 }
            // n = 4, score = 300
            //   e9????????           |                     
            //   837dd427             | cmp                 dword ptr [ebp - 0x2c], 0x27
            //   0f84e4000000         | je                  0xea
            //   83c001               | add                 eax, 1

        $sequence_9 = { 83c001 85c9 751e 83fa2a 7444 83fa3f 743f }
            // n = 7, score = 300
            //   83c001               | add                 eax, 1
            //   85c9                 | test                ecx, ecx
            //   751e                 | jne                 0x20
            //   83fa2a               | cmp                 edx, 0x2a
            //   7444                 | je                  0x46
            //   83fa3f               | cmp                 edx, 0x3f
            //   743f                 | je                  0x41

    condition:
        7 of them and filesize < 114688
}

Download all Yara Rules

WhisperGate Propose Change

References

Yara Rules

WhisperGate