Microsoft warns of destructive MBR wiper malware targeting Ukranian organizations

Microsoft has issued a warning of destructive MBR wiper malware targeting Ukranian organizations.

According to Microsoft, the malware executes after powering down the victim’s devices, which then overwrites the Master Boot Record (MBR) with a ransomware note. However, the note is a ploy given it is designed to make devices inoperable without a way to recover and obtain a ransom.

Microsoft spotted dozens of affected systems spanning multiple government, non-profit, and information technology organizations in the Ukraine.

“On January 13, Microsoft identified intrusion activity originating from Ukraine that appeared to be possible Master Boot Records (MBR) Wiper activity. During our investigation, we found a unique malware capability being used in intrusion attacks against multiple victim organizations in Ukraine,” Microsoft stated in the blog post.

The malware executes in two stages. In the first stage, the malware resides in multiple working directories (e.g., C:\PerfLogs, C:\ProgramData, C:\, and C:\temp) and is executed via a utility called Impacket often used by hackers to move laterally on their victim’s network. The malware then overwrites the MBR on victim’s system with the ransom note with Bitcoin wallet and unique ID.

In the second stage, a malicious file corrupter malware is downloaded and then executed in memory. As a result, the corrupter then locates files on various system directories and overwrites the files with a random four-byte extension.

Customer Mitigations

The tech giant has further implemented customer protections to detect this malware and dubbed it WhisperGate (e.g., DoS:Win32/WhisperGate.A!dha) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint.

Finally, Microsoft also recommends organizations follow these guidelines to help mitigate against the malware threat:

  • Check for indicator’s of compromise (IoC) for evidence of malware and assess for possible intrusion.
  • Enable multi-factor authentication (MFA) for all remote activity and any compromised credentials.
  • Review all authentication activity for remote access infrastructure with special focus on accounts without MFA enabled for unusual activity.
  • Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.

Related Articles