AI Security AI安全 1d ago Updated 23h ago 更新于 23小时前 46

New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware 新型GigaWiper Windows后门捆绑磁盘擦除、虚假勒索软件和间谍软件

Microsoft identified "GigaWiper," a modular Windows backdoor combining three distinct destructive capabilities: raw disk wiping, Windows drive overwriting, and fake ransomware encryption. The malware utilizes legitimate business infrastructure (RabbitMQ, Redis, MinIO) for command-and-control and data exfiltration, making network traffic appear normal and evading traditional security monitoring. Attribution links the tool to Iran-nexus groups, specifically connecting its fake ransomware component Microsoft 拆解了名为 GigaWiper 的 Windows 后门程序,该程序将三种破坏性工具整合为单一平台,支持磁盘擦除、覆盖 Windows 驱动器和运行假勒索软件。 GigaWiper 具备间谍功能,包括屏幕截图、录制、隐藏 VNC 会话及日志清理,并利用 RabbitMQ、Redis 和 MinIO 等合法业务服务进行命令与控制通信以规避检测。 该恶意软件伪装成 OneDrive 进程,通过注册表和防火墙规则隐藏自身,其代码源自已知的 Crucio 和 FlockWiper,被关联到与伊朗革命卫队有关的网络活动。 防御重点在于早期检测和离线备份,因为这是已渗透后的攻击行为而非

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Microsoft identified "GigaWiper," a modular Windows backdoor combining three distinct destructive capabilities: raw disk wiping, Windows drive overwriting, and fake ransomware encryption.
  • The malware utilizes legitimate business infrastructure (RabbitMQ, Redis, MinIO) for command-and-control and data exfiltration, making network traffic appear normal and evading traditional security monitoring.
  • Attribution links the tool to Iran-nexus groups, specifically connecting its fake ransomware component to "CyberAv3ngers" and noting shared code fingerprints with previous attacks on critical infrastructure.
  • Defenders must prioritize offline backups and early detection via specific indicators, such as suspicious scheduled tasks mimicking OneDrive and unauthorized use of system utilities like takeown and icacls.

Why It Matters

This incident highlights a significant shift in threat actor strategy: the consolidation of espionage and destruction into a single, flexible implant. By allowing operators to choose between spying, stealing, or destroying data post-compromise, the malware removes the predictability that defenders previously relied on to assess intent. This necessitates a move away from signature-based detection toward behavioral monitoring of legitimate tools and rigorous endpoint hygiene.

Technical Details

  • Modular Architecture: GigaWiper is written in Go and functions as a framework integrating three older destructive tools: a raw disk wiper (overwriting the partition table), a fake ransomware module based on "Crucio" (encrypting files with a .candy extension without saving keys), and a Windows drive wiper similar to "FlockWiper."
  • Stealth and Persistence: The malware disguises itself as OneDrive by creating a scheduled task named "OneDrive Update" and hiding its registry entries under HKCU\SOFTWARE\OneDrive\Environment. It also establishes a hidden VNC session and uses firewall rules named after legitimate Windows components to mask remote access.
  • Infrastructure Abuse: Instead of standard HTTP/HTTPS channels, GigaWiper leverages RabbitMQ for tasking, Redis for results, and MinIO for data exfiltration. This allows the malware to blend in with existing enterprise infrastructure, bypassing many network-level security controls.
  • Detection Indicators: Key signs of compromise include RabbitMQ or Redis traffic originating from non-server endpoints, processes using takeown and icacls to seize ownership of boot files (bootmgr, ntoskrnl.exe) outside of maintenance windows, and the presence of the specific scheduled task mentioned above.

Industry Insight

  • Defense in Depth for Critical Infrastructure: Since GigaWiper is designed to render systems unrecoverable without backups, organizations handling sensitive data or critical operations must enforce immutable, offline backup strategies. Relying on online backups is insufficient against sophisticated wipers.
  • Monitoring Legitimate Tools: Security teams should update detection rules to flag the misuse of administrative utilities like takeown and icacls on system boot files, as well as unexpected traffic patterns from message queues (RabbitMQ/Redis) on user workstations.
  • Attribution and Geopolitical Context: The linkage to Iran-nexus groups targeting Israeli and US infrastructure suggests an escalation in state-sponsored cyber warfare. Organizations in high-risk sectors should review their threat intelligence feeds for indicators associated with groups like CyberAv3ngers and Handala Hack.

TL;DR

  • Microsoft 拆解了名为 GigaWiper 的 Windows 后门程序,该程序将三种破坏性工具整合为单一平台,支持磁盘擦除、覆盖 Windows 驱动器和运行假勒索软件。
  • GigaWiper 具备间谍功能,包括屏幕截图、录制、隐藏 VNC 会话及日志清理,并利用 RabbitMQ、Redis 和 MinIO 等合法业务服务进行命令与控制通信以规避检测。
  • 该恶意软件伪装成 OneDrive 进程,通过注册表和防火墙规则隐藏自身,其代码源自已知的 Crucio 和 FlockWiper,被关联到与伊朗革命卫队有关的网络活动。
  • 防御重点在于早期检测和离线备份,因为这是已渗透后的攻击行为而非单一漏洞;建议监控异常的计划任务、非服务器端的数据库流量以及对外部系统文件的非法所有权更改。

为什么值得看

这篇文章揭示了高级持续性威胁(APT)组织如何将多种破坏性工具模块化并整合进单一后门中,使得攻击意图在入侵后由操作员动态决定,增加了防御者通过恶意软件特征预判攻击目标的难度。同时,它展示了攻击者如何利用企业常用的基础设施(如 RabbitMQ、Redis)作为隐蔽通信渠道,这对现有的网络监控策略提出了新的挑战。

技术解析

  • 多模态破坏能力:GigaWiper 提供三种毁灭性选项:原始磁盘擦除器(直接覆盖物理驱动器并清除分区表)、基于 Crucio 代码的假勒索软件(加密文件并添加 .candy 扩展名,但不保存解密密钥,旨在彻底破坏而非勒索),以及多遍覆盖 Windows 驱动器的擦除工具(FlockWiper 的 Go 语言重写版)。
  • 隐蔽通信与持久化:恶意软件伪装成 OneDrive,创建名为 "OneDrive Update" 的每分钟执行一次的任务,并将自身注册在 HKCU\SOFTWARE\OneDrive\Environment 下。它利用防火墙规则 Microsoft.Windows.CloudExperienceHost 隐藏远程访问通道,并使用 RabbitMQ 发送指令、Redis 接收结果、MinIO 进行数据外泄,使流量看起来像正常的业务数据。
  • 间谍与反取证功能:除了破坏,它还具备屏幕截图、视频录制和隐藏 VNC 远程控制功能。它能收集系统信息、管理服务、编辑注册表,并清除 Windows 事件日志以掩盖踪迹。代码中还发现了休眠的键盘记录器和额外擦除工具的存根。
  • 溯源与关联:微软指出 GigaWiper 的假勒索软件部分源自 Crucio,擦除部分源自 FlockWiper,且两者共享开发者指纹(如 "GRAT" 标签)。这将其与之前被 CISA 列为与伊朗伊斯兰革命卫队有关联的网络活动联系起来,尽管微软未明确命名国家,但二进制防御公司(Binary Defense)将其标记为 BLUERABBIT 并指向针对以色列组织的伊朗背景团体。

行业启示

  • 防御范式转变:随着恶意软件从“单一目的”向“多功能平台”演进,防御者不能再仅凭发现的恶意软件类型推断攻击者的最终意图(是窃取还是破坏)。必须假设任何已渗透的系统都可能面临即时破坏风险,因此离线备份和快速检测至关重要。
  • 基础设施监控盲区:攻击者利用企业内部广泛部署的业务中间件(如消息队列、缓存数据库)进行 C2 通信,使得传统的基于端口的流量分析失效。安全团队需要加强对这些合法服务在非服务器主机上异常流量的监控和行为分析。
  • 地缘政治网络战常态化:此类高度定制化、结合破坏与间谍功能的工具的出现,反映了国家级或半国家级黑客组织在网络冲突中的战术成熟度。针对关键基础设施和特定区域组织的攻击将持续存在,且手段更加隐蔽和多样化。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全