WhisperGate part 1

Intro

I see WhisperGate wiper gained some attention and figured it would be nice to write a few words about it and how to analyze it.

The malware is composed of several stages. Stage 1 and Stage 2 are delivered to the victim machine, and stage 2 will unravel into multiple other stages. In this first part, I’ll analyze the first stage of the attack, the MBR/GPT wiper.

Stage 1

The first stage is compiled using GCC with a timestamp of “2022-01-10 12:37:18”. Upon disassembling the PE contains multiple functions and code specific to the GCC compiler. IDA does a good job of identifying the majority of these functions via Flair signatures and Lumina DB. The only interesting code is contained by the function starting at 0x00403B60.

whispergate stage 1 screenshot

We can see it opens a handle to “\\.\PhysicalDrive0\” using “CreateFieW”, then it writes a buffer to that location using “WriteFile”. PhysicalDrive0 is used to access the raw disk drive and the first bytes from this device stores the MBR/GPT of the disk.

I won’t go into detail about MBR/GPT, I’ll just mention that is a special structure that contains code and partition table of the disk drive. Overwriting this structure will result in the machine not being able to boot your operating system. MBR is the old standard, 512 bytes long and GPT is the newer standard, but with backward compatibility for MBR.

The byte pointer from 0x404020 contains the MBR byte that will be written to PhysicalDrive0. We can confirm this is a MBR structure by looking at the magic 0x55AA at the end of the 512byte structure.

qmemcpy(lpBuffer, byte_404020, 0x2000u);
hFile = CreateFileW(L"\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL);
WriteFile(hFile, lpBuffer, 0x200u, NULL, NULL);
CloseHandle(hFile);

Interesting that the last two arguments (lpNumberOfBytesWritten and lpOverlapped) from the WriteFile API are set to NULL. This will result in unexpected behavior from the OS, I even got a BSOD while debugging this wiper.

Restarting the machine after the malware did its thing will result in it executing the new MBR code and displaying a ransom note.

Debugging the MBR code.

IDA can debug the MBR code with the help of the Bochs emulator. Download and install Bochs from here. Let’s configure the debug environment.

Create bochs disk

  • open the CLI and navigate to the install directiory
  • create a iamge to hold the MBR code via bximage.exe
    1. launch bximage.exe
    2. create new disk (option 1)
    3. use the “hd” option (enter)
    4. use “flat” image (enter)
    5. “512” bytes sectors are suficient (enter)
    6. specify the size in megabytes, default is enough (enter)
    7. name your image (wiper.mbr)

Example in the screenshot below

bochs emulator bximage.exe create hard disk

Bochs config

Now we need to create a config file that we’ll open using IDA. The scope of this file is to instruct IDA on how to disassemble and debug the MBR code.

  • create a file with the “.bxrc” extension
  • open the file into a text editor and paste the following lines
megs: 512
romimage: file="BIOS-bochs-latest"
vgaromimage: file="VGABIOS-lgpl-latest"
boot: disk
ata0-master: type=disk, path="wiper.mbr", mode=flat
mouse: enabled=0
cpu: ips=90000000

Copy MBR

The last step is to copy the raw bytes from IDA to the Bochs disk that we created.

  • dump the bytes to disk
  • copy the mbrdump bytes to the bochs disk using your favorite hex-editor
def DumpBytes(address,size,ouput):
	bytesFromBin = get_bytes(address,size) 
	with open(ouput,"wb") as fp:
		fp.write(bytesFromBin)
		fp.close()
		print("Dumped {} bytes to {}".format(size,ouput))

DumpBytes(0x404020,0x2000,"mbrdump.bin")

Debug MBR

All is now configured, we just need to open the “.bxrc” file in IDA. IDA uses a special file loader to parse our config file and then will load and disassemble the MBR code.

Now you can add breakpoints and debug the MBR structure that WhisperGate is overwriting to disk.

whispergate stage 1 mbr bochs emualtion

I hope this was helpful. See you later.

IOC

// stage 1 sha256 hash
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s