A North Korean threat group has been targeting financial institutions with a versatile implant that combines robust command-and-control capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. The implant, known as GigaWiper, is particularly notable for its makeup.
It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction. A standalone wiper that operates at the physical disk level overwrites raw disk content and removes partition metadata. A destructive command derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible.[/subscribe_to_unlock_form]
A North Korean threat group has been targeting financial institutions with a versatile implant that combines robust command-and-control capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. The implant, known as GigaWiper, is particularly notable for its makeup.
It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction. A standalone wiper that operates at the physical disk level overwrites raw disk content and removes partition metadata. A destructive command derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible.[emaillocker id="1283"]
GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities. This shift in wiper malware poses a significant risk to financial institutions and other organizations. Threat defenders should be aware of the potential for GigaWiper to evade detection and cause widespread destruction. The security community must remain vigilant and adapt to these evolving threats.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Collection | T1005 | Data from Local System | - |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Impact | T1486 | Data Encrypted for Impact | - |
| Impact | T1489 | Service Stop | - |
| Impact | T1529 | System Shutdown/Reboot | - |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Command & Control | B0030 | C2 Communication |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Discovery | E1083 | File and Directory Discovery |
| Cryptography Micro-objective | C0027 | Encrypt Data |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Impact | B0022 | Remote Access |
The following reports contain further technical details:
[/emaillocker]