Threat Advisory

GigaWiper Implant Combines Wiping and Sabotage Capabilities

Threat: Malware
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A North Korean threat group has been targeting financial institutions with a versatile implant that combines robust command-and-control capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. The implant, known as GigaWiper, is particularly notable for its makeup.

It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction. A standalone wiper that operates at the physical disk level overwrites raw disk content and removes partition metadata. A destructive command derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A North Korean threat group has been targeting financial institutions with a versatile implant that combines robust command-and-control capabilities with multiple destructive payloads, including disk wiping, fake ransomware, and system-level sabotage. The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences. The implant, known as GigaWiper, is particularly notable for its makeup.

It’s not a single, purpose-built tool, but an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction. A standalone wiper that operates at the physical disk level overwrites raw disk content and removes partition metadata. A destructive command derives from Crucio ransomware and encrypts files with randomly generated keys that are never saved, making decryption impossible.[emaillocker id="1283"]

GigaWiper exemplifies threat actors investing in operational efficiency, merging standalone tools into unified platforms that reduce their deployment footprint while expanding their destructive capabilities. This shift in wiper malware poses a significant risk to financial institutions and other organizations. Threat defenders should be aware of the potential for GigaWiper to evade detection and cause widespread destruction. The security community must remain vigilant and adapt to these evolving threats.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Collection T1005 Data from Local System -
Command and control T1071.001 Application Layer Protocol Web Protocols
Impact T1486 Data Encrypted for Impact -
Impact T1489 Service Stop -
Impact T1529 System Shutdown/Reboot -

MBC MAPPING:

Objective Behavior ID Behavior
Command & Control B0030 C2 Communication
Persistence F0012 Registry Run Keys / Startup Folder
Discovery E1083 File and Directory Discovery
Cryptography Micro-objective C0027 Encrypt Data
Anti-Static Analysis B0032 Executable Code Obfuscation
Impact B0022 Remote Access

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu