Microsoft has dissected a new malware threat, GigaWiper, a Windows backdoor with a destructive design. This sophisticated malware combines three older destructive programs, giving attackers a choice of commands to execute, making it a formidable threat.
Destructive Capabilities
GigaWiper provides multiple ways to damage a system. It can wipe the entire disk, overwrite the Windows drive, or simulate ransomware by encrypting files without saving a decryption key. This makes it impossible to recover data without clean backups, emphasizing the importance of early detection.
The malware, also identified as BLUERABBIT by Binary Defense, shares identical file hashes and command servers with GigaWiper, suggesting they are the same threat. Google’s Threat Intelligence Group connects this malware to a group likely linked to Iran, targeting Israeli organizations.
Malicious Functions
Developed in Go, GigaWiper operates on Windows systems and uses specific commands to execute its destructive tasks. One variant erases the disk by overwriting the physical drive and partition table. Another variant, posing as ransomware, encrypts files without offering a recovery option, while the third overwrites the Windows drive with random data.
Furthermore, the malware can spy on affected systems. It captures screenshots, records screen activity, and opens hidden remote sessions for attackers to control the device. It also collects system information, manages processes, and can erase event logs to hide its presence.
Origins and Attribution
Microsoft traces GigaWiper’s code lineage to Crucio and FlockWiper, indicating a single developer’s involvement. Although Microsoft does not specify a nation, the code similarities align with a December 2023 CISA advisory linking Crucio to Iran’s Islamic Revolutionary Guard Corps. Reports suggest this group has previously targeted infrastructure in the US, Israel, and Europe.
The recurring tag “GRAT” in the malware’s code suggests a connection between different tools, hinting at an evolving threat. Microsoft positions GigaWiper as a flexible platform that can spy, steal, or destroy data, complicating detection efforts for defenders.
Defensive Measures
Detecting GigaWiper requires vigilance. Indicators include a recurring “OneDrive Update” task, unexpected RabbitMQ or Redis traffic, and unusual file ownership changes. Microsoft advises activating tamper protection, blocking known command servers, and utilizing advanced endpoint detection solutions.
The Hacker News is seeking further clarification from Microsoft and Binary Defense regarding the malware’s impact and potential victims and will provide updates as information becomes available.
