Summary
Key Points:
- GigaWiper is a sophisticated Golang-based backdoor identified by Microsoft Threat Intelligence, capable of executing destructive commands including disk wiping and file encryption, derived from multiple malware families.
- The impact includes complete data loss through physical disk wiping and potential system inoperability, affecting any Windows environments where it is deployed.
- Recommended actions include enabling tamper protection, blocking known C2 infrastructure, and using endpoint detection and response (EDR) in block mode to mitigate risks.
Technical Details: GigaWiper utilizes various destructive payloads such as disk wiping commands that overwrite raw disk content and a ransomware-like feature that encrypts files without saving decryption keys. Key indicators include SHA-256 hashes for GigaWiper and its components.
MITRE ATT&CK Techniques:
- T1562.001 - Impair Defenses: Disable or Modify Tools (Defense Evasion)
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1003.001 - OS Credential Dumping: LSASS Memory (Credential Access)
- T1490 - Inhibit System Recovery (Impact)
- T1486 - Data Encrypted for Impact (Impact)
IOCs Mentioned:
- 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001 (SHA-256)
- ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913 (SHA-256)
- f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd (SHA-256)
- 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af0683 (SHA-256)
- 185.182.193[.]21 (IP address)
Join the discussion — sign up to comment, upvote, and save articles.