A new piece of malware has been discovered that not only spies on data but also renders entire systems unusable. The malware, known as GigaWiper, combines several destructive functions with a powerful backdoor for attackers. Security researchers first detected the activity in October. The malware's capabilities have been fully detailed in a recent analysis.
GigaWiper is not a traditional wiper malware with a single purpose; it's far more destructive. It can wipe hard drives and irretrievably destroy data by overwriting hard drives at a low level, removing partition entries, and overwriting the contents of storage media. Once the destructive operation is complete, the computer restarts, and the data that was once stored on it is no longer accessible.
One of the destructive functions of GigaWiper masquerades as ransomware, encrypting files and appending the .candy extension to them. However, this is not a classic extortion attack, as the decryption keys are generated at random and not stored, making recovery technically impossible. Another function overwrites the Windows system drive multiple times with various data patterns, making recovery even more difficult.
GigaWiper is more than just a data wiper; it's a backdoor through which attackers can gain permanent access to infected systems. The malware can take screenshots, record the screen, enable remote control functions, collect system information, manage processes and Windows services, modify the Windows Registry, and delete event logs to cover their tracks.
This allows attackers to gather information about a system or take control of it before triggering its destructive activity. The malware sets up a scheduled task in the Windows Task Scheduler to ensure it remains on affected computers for as long as possible. This task is named “OneDrive Update” and runs regularly.
The malware uses RabbitMQ and Redis to communicate with command-and-control servers, making the connections harder to detect in corporate networks. A distinctive feature of GigaWiper is its structure, which combines malicious code from several malware families.
Some functions originate from older malware components, which have been integrated into a new backdoor developed in the Go programming language. This allows attackers to decide whether to take control of systems, manipulate data, and/or trigger complete destruction.
Based on current findings, GigaWiper is primarily used for targeted attacks against organizations and corporations. There's currently no evidence of widespread distribution among home Windows users. Traditional security measures remain crucial for home users, including keeping Windows and security software up to date and avoiding unsolicited attachments and apps.
Businesses should enable protective features such as tamper protection for security software, deploy modern attack detection systems, and monitor suspicious activity. Regular backups are also important and should be stored in a separate location from the PC.