Microsoft discovers new multi-malware package 'GigaWiper' capable of deploying wipers and ransomware

Security News

Microsoft discovers new multi-malware package ‘GigaWiper’ capable of deploying wipers and ransomware

Credit: The original article is published here.
  • Microsoft warns of “GigaWiper,” a destructive malware attributed to Iranian group CyberAv3ngers that combines multiple variants into one
  • It can wipe drives, encrypt files with a fake ransomware extension, or overwrite Windows partitions, while also spying via screenshots, VNC sessions, and system data theft
  • The malware hides under fake OneDrive tasks and registry keys, showing both espionage and sabotage capabilities with no recovery path for victims’ data

Microsoft is warning about a new piece of malware called GigaWiper, which can spy on people’s computers and then destroy them entirely, in different ways.

It was built by mashing different malware variants into one, and it seems to be the work of Iranian state-sponsored threat actors called CyberAv3ngers. The hackers also took a little cheeky dig at Microsoft, through the malware’s obfuscation mechanism.

As Microsoft explained, GigaWiper can overwrite the physical drive and wipe the partition table, destroying the contents of the disk directly. It can also encrypt all files on the drive, add a .candy extension, and change the desktop wallpaper to show a warning. This ransomware approach does not share a ransom note, and does not generate a decryption key, so there is nothing to pay, and no way to decrypt the files – they are gone for good, just giving victims false hope.

Spying on the victims

Finally, the third method goes straight for the Windows drive, overwriting it multiple times with different data patterns.

Besides bricking the disk, GigaWiper can also spy on its victims by grabbing screenshots, recording the screen, or opening a VNC session to either stream someone else’s work, or allow the attackers to use the mouse and keyboard. The malware can also extract system data, manage programs and services, modify the registry, and more.

But the cheekiest feature is how it hides. It schedules a task called OneDrive Update and tracks itself in a registry key called OneDriveEnvironment. Perhaps the attackers assumed no one really pays attention to OneDrive, and thus the malware could stay out of sight for longer.

Speaking of the attackers, Microsoft does not name them, but most of the components mashed together to form GigaWiper were previously attributed to CyberAv3ngers, a group linked to Iran’s Islamic Revolutionary Guard Corps.

Leave a Reply

Your email address will not be published. Required fields are marked *