GigaWiper Backdoor: A Triple Threat to Windows Systems

Microsoft has recently analyzed a destructive Windows backdoor known as GigaWiper, notable for integrating three distinct malicious components into a single tool. This amalgamation allows attackers to choose from multiple methods to incapacitate a targeted system.

The three destructive functionalities embedded within GigaWiper are:

  • Disk Wiper: This component overwrites the entire physical drive, including the partition table, rendering data recovery virtually impossible.
  • Fake Ransomware: Utilizing code from an older malware called Crucio, this feature encrypts files, appends a .candy extension, and alters the desktop wallpaper to display a warning message. Notably, it does not provide a ransom note or save the encryption key, making decryption unfeasible.
  • Windows Drive Overwriter: This function targets the Windows operating system drive, overwriting it multiple times with different data patterns. Microsoft identifies this as a Go-based rewrite of a previously known wiper, FlockWiper.

Beyond its destructive capabilities, GigaWiper also possesses espionage features. It can capture screenshots, record user activity, and establish hidden Virtual Network Computing (VNC) sessions, allowing attackers to monitor and control the infected system remotely. Additionally, it can collect system information, manage processes and services, modify the registry, and erase Windows event logs to conceal its activities.

To evade detection, GigaWiper masquerades as Microsoft’s OneDrive. It creates a scheduled task named ‘OneDrive Update’ that runs every minute and maintains a registry key under HKCU\SOFTWARE\OneDrive\Environment. For its command-and-control communications, it leverages legitimate business services such as RabbitMQ, Redis, and MinIO, making its network traffic appear normal in environments where these services are used.

Microsoft’s analysis traces GigaWiper’s fake ransomware component back to Crucio and its multi-pass wiper to FlockWiper, suggesting a common developer for all three. While Microsoft does not attribute GigaWiper to any specific nation-state actor, other cybersecurity firms have linked similar malware to groups with ties to Iran, particularly targeting Israeli organizations.

Given GigaWiper’s multifaceted threat profile, organizations are advised to implement robust security measures, including regular system monitoring, maintaining up-to-date offline backups, and educating employees about the risks of sophisticated malware. Early detection and proactive defense strategies are crucial in mitigating the potential damage caused by such advanced threats.