AI Security AI安全 14h ago Updated 11h ago 更新于 11小时前 46

GigaWiper Combines Multiple Malware for System-Level Sabotage GigaWiper结合多种恶意软件进行系统级破坏

Microsoft identified GigaWiper, a sophisticated Go-based backdoor active since October 2025, combining persistent access with multiple destructive capabilities. The malware integrates standalone wipers, ransomware-like encryption, and system sabotage tools into a modular framework, marking a shift from pure destruction to flexible espionage and destruction. GigaWiper utilizes RabbitMQ and Redis for command-and-control communications, enabling remote execution of tasks such as disk wiping, BSOD t 微软披露名为 GigaWiper 的复杂 Go 语言后门木马,具备模块化设计,整合了擦除、勒索加密及远程操控功能。 该恶意软件首次出现于 2025 年 10 月,利用 WMI 枚举磁盘,在物理层面执行多遍数据擦除并重启系统。 攻击者通过 RabbitMQ 和 Redis 建立持久化控制与命令通道,可执行屏幕录制、日志清除及触发蓝屏等破坏性操作。 GigaWiper 融合了 Crucio 勒索软件的加密代码与 FlockWiper 的擦除功能,标志着破坏型恶意软件向兼具间谍与控制能力的混合形态演变。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Microsoft identified GigaWiper, a sophisticated Go-based backdoor active since October 2025, combining persistent access with multiple destructive capabilities.
  • The malware integrates standalone wipers, ransomware-like encryption, and system sabotage tools into a modular framework, marking a shift from pure destruction to flexible espionage and destruction.
  • GigaWiper utilizes RabbitMQ and Redis for command-and-control communications, enabling remote execution of tasks such as disk wiping, BSOD triggering, screenshotting, and log clearing.
  • The threat actor appears linked to the Crucio ransomware group and shares code similarities with FlockWiper, indicating a consolidation of previous malware families into a unified implant.

Why It Matters

This development highlights a significant evolution in cyber threat tactics, where attackers are merging espionage and destructive capabilities into single, modular implants to maximize operational flexibility. For security professionals, understanding this convergence is critical as it blurs the lines between traditional APT activities and disruptive attacks, requiring enhanced detection strategies for hybrid malware behaviors.

Technical Details

  • Architecture: Built in Go, GigaWiper functions as a modular backdoor with embedded wiper capabilities, utilizing Windows Management Instrumentation (WMI) to enumerate drives and target specific partitions for erasure.
  • Communication & Persistence: Establishes Command-and-Control (C&C) channels via RabbitMQ and Redis, ensuring robust persistence and remote control over infected systems.
  • Capabilities: Supports diverse commands including executing stand-alone wipers, triggering BSODs, uploading files via MinIO Client, running PowerShell scripts, capturing screens, and clearing Windows event logs.
  • Encryption Modules: Features two distinct file-encryption commands: one destructive variant using unsaved random keys and another bulk encryption/decryption module.
  • Lineage: Code analysis suggests origins from the Crucio ransomware developer, with specific wiping functions ported from earlier malware like FlockWiper.

Industry Insight

  • Security teams should prioritize monitoring for unusual RabbitMQ and Redis traffic patterns, as these are becoming preferred C&C channels for advanced persistent threats.
  • Incident response plans must account for hybrid malware that can switch between stealthy data exfiltration and immediate destructive actions, necessitating rapid isolation protocols.
  • Threat intelligence sharing regarding code reuse across malware families (e.g., links between ransomware groups and wiper developers) is essential for predicting future attack vectors and identifying emerging threat actors.

TL;DR

  • 微软披露名为 GigaWiper 的复杂 Go 语言后门木马,具备模块化设计,整合了擦除、勒索加密及远程操控功能。
  • 该恶意软件首次出现于 2025 年 10 月,利用 WMI 枚举磁盘,在物理层面执行多遍数据擦除并重启系统。
  • 攻击者通过 RabbitMQ 和 Redis 建立持久化控制与命令通道,可执行屏幕录制、日志清除及触发蓝屏等破坏性操作。
  • GigaWiper 融合了 Crucio 勒索软件的加密代码与 FlockWiper 的擦除功能,标志着破坏型恶意软件向兼具间谍与控制能力的混合形态演变。

为什么值得看

本文揭示了恶意软件开发者将纯破坏工具与高级后门能力结合的新趋势,打破了传统 wiper 仅用于毁灭数据的单一认知。对于安全从业者而言,理解这种模块化、跨组件复用的攻击架构有助于优化检测规则,特别是针对 RabbitMQ/Redis 通信及底层磁盘操作的监控。

技术解析

  • 架构与语言:GigaWiper 是基于 Go 语言开发的模块化后门,集成了多个恶意家族的功能。其核心特点是“按需执行”,将独立的擦除器、类勒索加密命令和多遍擦除命令折叠在后门指令中。
  • 持久化与通信:利用 RabbitMQ 和 Redis 作为命令与控制(C&C)通信渠道,实现持久化连接。攻击者可远程下发指令,包括上传文件(使用 MinIO Client)、运行 PowerShell、截图录屏及收集系统信息。
  • 破坏机制:擦除模块在物理磁盘级别运作,通过 Windows Management Instrumentation (WMI) 识别分区,移除非 Windows 驱动器的分区引用,执行多遍擦除后重启系统。此外,还支持触发 BSOD 和清除 Windows 日志以掩盖踪迹。
  • 加密功能:包含两种文件加密命令,一种是使用随机密钥且永不保存的破坏性加密,另一种是针对批量文件的常规加密/解密功能,代码源自之前的 Crucio 勒索软件。
  • 关联分析:代码指纹显示其与 FlockWiper(2025 年 6 月出现)共享相同的 Go 移植擦除函数,且加密逻辑指向 Crucio 开发者,表明攻击者正在复用和整合现有工具链。

行业启示

  • 混合威胁升级:破坏型恶意软件(Wipers)正从单纯的“一次性毁灭”工具演变为具备长期潜伏、情报收集和按需破坏能力的混合威胁,防御策略需兼顾 EDR 与数据完整性保护。
  • 基础设施监控重点:鉴于 C&C 通信依赖 RabbitMQ 和 Redis 等中间件,企业应加强对内部消息队列服务的异常流量监控,防止其被滥用为攻击者的隐蔽信道。
  • 供应链与代码复用风险:攻击者通过缝合不同恶意软件组件(如 Crucio 和 FlockWiper 的代码)快速构建新变种,提示安全厂商需关注恶意代码库的交叉引用和家族演化关系,而非仅依赖单一签名检测。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全