New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware

New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware — [https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJRuXh4y7zy8C81

new-gigawiper-windows-backdoor-bundles-disk-wiping-fake-ransomware-and-spyware

What’s new: Microsoft has identified a new Windows backdoor named GigaWiper, which combines three destructive tools: a raw disk wiper, a fake ransomware variant, and a targeted Windows drive wiper. This malware is designed to destroy data rather than extort victims. It can also perform espionage activities, including taking screenshots and controlling infected machines. GigaWiper is linked to a group likely associated with Iran and has been observed targeting Israeli organizations.

Who’s affected

Organizations, particularly those in Israel, may be at risk from GigaWiper, which is believed to be operated by an Iran-linked group. The malware can infiltrate systems and cause significant data loss and operational disruption.

What to do

  • Monitor for a scheduled task named “OneDrive Update” that runs every minute.
  • Watch for RabbitMQ or Redis traffic originating from ordinary desktops instead of servers.
  • Look for processes using takeown and icacls to take ownership of critical Windows boot files outside of maintenance windows.
  • Enable tamper protection on antivirus solutions to prevent disabling by attackers.
  • Block known command servers (185.182.193[.]21 and 212.8.248[.]104).
  • Run endpoint detection in block mode and enable cloud-delivered protection and automatic remediation.

Sources