New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware
Microsoft identified "GigaWiper," a modular Windows backdoor combining three distinct destructive capabilities: raw disk wiping, Windows drive overwriting, and fake ransomware encryption. The malware utilizes legitimate business infrastructure (RabbitMQ, Redis, MinIO) for command-and-control and data exfiltration, making network traffic appear normal and evading traditional security monitoring. Attribution links the tool to Iran-nexus groups, specifically connecting its fake ransomware component
Analysis
TL;DR
- Microsoft identified "GigaWiper," a modular Windows backdoor combining three distinct destructive capabilities: raw disk wiping, Windows drive overwriting, and fake ransomware encryption.
- The malware utilizes legitimate business infrastructure (RabbitMQ, Redis, MinIO) for command-and-control and data exfiltration, making network traffic appear normal and evading traditional security monitoring.
- Attribution links the tool to Iran-nexus groups, specifically connecting its fake ransomware component to "CyberAv3ngers" and noting shared code fingerprints with previous attacks on critical infrastructure.
- Defenders must prioritize offline backups and early detection via specific indicators, such as suspicious scheduled tasks mimicking OneDrive and unauthorized use of system utilities like
takeownandicacls.
Why It Matters
This incident highlights a significant shift in threat actor strategy: the consolidation of espionage and destruction into a single, flexible implant. By allowing operators to choose between spying, stealing, or destroying data post-compromise, the malware removes the predictability that defenders previously relied on to assess intent. This necessitates a move away from signature-based detection toward behavioral monitoring of legitimate tools and rigorous endpoint hygiene.
Technical Details
- Modular Architecture: GigaWiper is written in Go and functions as a framework integrating three older destructive tools: a raw disk wiper (overwriting the partition table), a fake ransomware module based on "Crucio" (encrypting files with a
.candyextension without saving keys), and a Windows drive wiper similar to "FlockWiper." - Stealth and Persistence: The malware disguises itself as OneDrive by creating a scheduled task named "OneDrive Update" and hiding its registry entries under
HKCU\SOFTWARE\OneDrive\Environment. It also establishes a hidden VNC session and uses firewall rules named after legitimate Windows components to mask remote access. - Infrastructure Abuse: Instead of standard HTTP/HTTPS channels, GigaWiper leverages RabbitMQ for tasking, Redis for results, and MinIO for data exfiltration. This allows the malware to blend in with existing enterprise infrastructure, bypassing many network-level security controls.
- Detection Indicators: Key signs of compromise include RabbitMQ or Redis traffic originating from non-server endpoints, processes using
takeownandicaclsto seize ownership of boot files (bootmgr,ntoskrnl.exe) outside of maintenance windows, and the presence of the specific scheduled task mentioned above.
Industry Insight
- Defense in Depth for Critical Infrastructure: Since GigaWiper is designed to render systems unrecoverable without backups, organizations handling sensitive data or critical operations must enforce immutable, offline backup strategies. Relying on online backups is insufficient against sophisticated wipers.
- Monitoring Legitimate Tools: Security teams should update detection rules to flag the misuse of administrative utilities like
takeownandicaclson system boot files, as well as unexpected traffic patterns from message queues (RabbitMQ/Redis) on user workstations. - Attribution and Geopolitical Context: The linkage to Iran-nexus groups targeting Israeli and US infrastructure suggests an escalation in state-sponsored cyber warfare. Organizations in high-risk sectors should review their threat intelligence feeds for indicators associated with groups like CyberAv3ngers and Handala Hack.
Disclaimer: The above content is generated by AI and is for reference only.