We observed evidence of the Discord CDN being abused heavily within our data set of files using this stub template, but occasionally saw other IPs and domains used as well.Īnother interesting feature we noted is that the stub used by WhisperGate has been obfuscated with a tool called NetReactor, though it appears WhisperGate only used a small subset of the features that the NetReactor tool boasts. Once the method has been resolved, it then downloads the file at the specified plaintext and hardcoded command-and-control (C2) URL. Upon execution, this would be replaced inline to revert the function to its original form to perform its intended task. For example, a function like DownloadData would be obfuscated with character replacement such as DxownxloxadDxatxxax. ![]() While this may not seem like a big deal, the name of the function to be resolved is often interspersed with a specific character, or set of characters, to obfuscate the function name. NET inbuilt function GetMethod to resolve the specified function call dynamically. The main work of a stub is done by retrieving the function DownloadData, or in some cases GetByteArrayAsync, using the. The WhisperGate stub itself is quite rudimentary aside from a download function, it also sports junk strings, junk code, and other relatively simple attempts at obfuscation. While WhisperGate appeared to use the service that created this stub on only one occasion, we wanted to dive a little further into it and see why this method in particular is being used to deliver so many common. NET malware, such as Agent Tesla, and QuasarRAT among others. ![]() This main payload that this stub delivers is typically commodity. NET compilers, which can then be used across any environment. An MSIL stub is created after the compilation of source code by these different. NET framework includes individual compilers for various programming languages, such as VB.NET, and C#. To put it simply, these stubs are components of small Windows® executable files that act as downloaders for a subsequent main payload. What stood out to us, in the course of conducting that research into the final stages of the malware, was the MSIL stub used in the delivery of the third stage of the malware that was first noted by ESET Research. ![]() We’ve covered details regarding WhisperGate in a previous blog, which provides a more extensive breakdown into the third and fourth stages of the wiper. When we investigated these stubs further and looked for others like them, we found them to be used in the delivery of a far larger array of commodity. ![]() We’ll discuss what we found, and what it can tell us about the methods threat actors are finding useful to accomplish their nefarious actions.Īnalysis of the WhisperGate malware wiper targeting Ukraine in early 2022 first shone a light on using a Microsoft Intermediate Language (MSIL) stub as a delivery mechanism for the malware, which was abusing the Discord content delivery network (CDN). In this post, we’ll retrace our steps down a surprising rabbit hole that was revealed while examining this momentous malware. When the WhisperGate wiper was discovered – a multi-staged malicious wiper disguised as ransomware – researchers dug in to see what we could learn about the techniques used by its authors, and what it could teach us about the threat landscape in general. Source: Security Affairs.Įarlier this year, as the rest of the world was just beginning to turn a concerned eye to unsettling military actions in Ukraine, the security industry’s attention was trained on malicious cyber activity in the country. Update 05.27.22 : An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Ukraine conflict.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |