ALERT: Gigawiper Windows Backdoor
I might have saved this until next week as a client alert, but I thought it important enough to write about it today.
The malware is called Gigawiper and researchers first discovered it late last year. It is an interesting and very destructive beast.
It is a number of tools bolted together and may persist as a scheduled task called OneDrive Update, although, obviously, that could change.
So what does it do? It has several major functions.
- It is a raw disk wiper overwriting the physical disk drive and wiping the partition table. Then it reboots and that system is fresh as new from the factory.
- There is a ransomware function that does normal ransomware stuff with one sort of major difference. IT ENCRYPTS WITH A RANDOM KEY WHICH IT DOES NOT SAVE, so there is no way to decrypt the encrypted files.
- The last is kind of a variant of the first. It overwrites just the system volume, several times, with different patterns.
The goal is not to extort money since there is no way to reverse what it does. The goal is to create pain and it is pretty good at that.
But wait, there is more.
Another feature is a remote control capability that allows the hacker to watch and control the target computer. This module also collects system details, manages running programs, edits the registry and wipes event logs. There are additional, so far, dormant commands too.
To allow it to work it makes changes to both the Windows firewall and the registry.
Part of how it evades detection is a “living off the land strategy” using real tools like MinIO for data theft.
As is often the case, this malware evolved from multiple older malware tools.
Microsoft has recommendations for both detecting it AFTER it is installed and slowing down its advance. Neither of these stop you from getting infected.
The good news is that Gigawiper typically does not invade your computer. It uses one of many other techniques to get a foothold and once inside it deploys its code. From there it could stand dormant, surveil you or attack you – potentially multiple of these at different times.
If you need help dealing with this, please contact us.
Credit: Hackread and The Hacker News
