Unraveling GigaWiper: The Composite Backdoor Forged from Multiple Malware

0
4

Key Takeaways

  • GigaWiper is a Golang‑based backdoor that bundles multiple destructive capabilities—disk wiping, fake ransomware, and system‑level sabotage—into a single modular implant.
  • The malware shares code with two known threat families: the wiper logic derives from FlockWiper, while the ransomware‑like encryption routine is taken from Crucio ransomware.
  • Persistence is achieved via a registry‑tracked scheduled task named “OneDrive Update” that runs every minute and at system start.
  • Command‑and‑control (C2) communication uses RabbitMQ (AMQP) for receiving commands and Redis for reporting results, with hard‑coded credentials and IP addresses observed in the wild.
  • The backdoor exposes 20 distinct commands, ranging from disk wiping and BSOD induction to screen capture, keylogging, process/service/registry manipulation, and VNC‑style remote control.
  • Defensive measures include enabling tamper protection, cloud‑delivered protection, EDR in block mode, and specific Microsoft Defender XDR attack‑surface‑reduction rules.
  • Indicators of compromise (IOCs) provide SHA‑256 hashes for the backdoor, standalone wiper, and related families, plus two C2 IP addresses (185.182.193.21 and 212.8.248.104).

Overview of GigaWiper
In October 2025 Microsoft Threat Intelligence uncovered a destructive Golang‑based implant dubbed GigaWiper. The tool functions as a backdoor that can execute a variety of malicious actions on demand, most notably wiping physical disks, encrypting files with unsalvageable keys, and triggering system‑level sabotage such as BSODs. Rather than a single‑purpose wiper, GigaWiper amalgamates several older malware families into a unified platform, giving attackers flexibility to switch between espionage and destruction while keeping a relatively small footprint.

Architecture and Core Components
GigaWiper consists of two primary binary types: a standalone wiper and a larger backdoor that incorporates the wiper as one of its commands. Both are unstripped PE files written in Golang. The standalone wiper operates at the physical disk level, enumerating drives via WMI, identifying the Windows installation drive, removing partition tables from non‑system disks, overwriting raw disk content in randomized chunks, and finally forcing an immediate reboot. The same wiping routine is embedded within the backdoor as the function rabbit_tools_tool_wipe_main.WipeMain, confirming that the wiper is not a separate tool but a callable command.

Persistence Mechanism
To survive reboots, GigaWiper creates a registry key HKCU\SOFTWARE\OneDrive\Environment initialized to “0”. On first execution it creates a scheduled task named “OneDrive Update” that runs the malware each minute and at system start. Subsequent runs increment the registry value, detect execution from the Task Scheduler, and continue normal operation. This method provides low‑profile persistence without needing elevated privileges beyond what the initial infection already possesses.

Command‑and‑Control Communication
The backdoor uses two channels for C2: RabbitMQ over AMQP for receiving commands and Redis for uploading results. A hard‑coded AES key decrypts an embedded configuration that specifies the C2 endpoints (e.g., 185.182.193.21:5544 for RabbitMQ and the same IP:7542 for Redis) and credentials. Commands are delivered as cmd.Task structures containing a task ID, command code, and arguments. After execution, the malware posts a cmd.Result struct to Redis, reporting error status, target IP, computer name, output, working directory, timestamps, and work status. The use of a fanout exchange named “All” enables broadcast commands, while a topic exchange named “Topic” allows actors to issue targeted instructions via routing keys managed through command 8.

Command Catalog
GigaWiper implements twenty distinct commands, each identified by a numeric code:

  1. WipeMain – invokes the core disk‑wiping routine (identical to the standalone wiper).
  2. BSOD Trigger – disables Windows recovery, takes ownership of critical boot files, deletes them, and forces a blue‑screen error that prevents booting.
  3. Ransomware‑Like Encryption – calls RanMainBigBangExtortMain to AES‑CBC encrypt user files with random, unsaved keys, appending the .candy extension and setting a ransom‑themed wallpaper; decryption is impossible.
  4. MinIO Upload – uploads a specified file to attacker‑controlled storage using the MinIO client (mc.exe).
  5. File Encryption/Decryption Utility – performs AES‑256 CBC encryption or decryption of files or directories, generating a random key/IV if none supplied.
  6. Unimplemented (wipe‑file placeholder) – referenced in logs but not populated in the analyzed binaries.
  7. Shell/Special Command – runs PowerShell commands, appending a marker to capture output and optionally changes the working directory; special sub‑commands purge command queues or report the current path.
  8. RabbitMQ Route Manager – binds/unbinds routing keys to the “Topic” exchange for targeted C2.
  9. Screenshot Capture – takes a picture of each active monitor and saves it as a PNG with a timestamp.
  10. Screen Recording – records the user’s screen when not idle and the workstation is unlocked, storing footage in C:\ProgramData\output.
  11. Keylogger Placeholder – referenced in logs as “Exec cmd keylog”; actual code not observed in the sample.
  12. WipeCMain – secure wipe limited to the Windows installation drive, performing multiple passes (0s, 0xFF, random bytes) with timing output between passes.
  13. Wipe32 Placeholder – another wiper reference inferred from logging (“Exec cmd wipe32”).
  14. Not implemented.
  15. System Information Collector – gathers IP, machine GUID, CPU, OS, network, firmware, user, and antivirus details via GRATClientInfo.
  16. Process Manager – creates, suspends, resumes, kills, lists, or queries processes based on supplied arguments.
  17. Service Manager – mirrors the process manager for services (create, delete, start, stop, restart, query, list).
  18. Registry Manager – provides an interactive‑style interface to navigate, create, delete, or modify registry keys and values, persisting state across requests via goroutine‑based channels.
  19. Event Log Cleaner – deletes System, Setup, Application, and ForwardedEvents logs; attempts to remove the Security log, printing a hard‑coded string on failure.
  20. VNC‑Like Remote Control – opens a TCP port (specified in the command), adds firewall rules mimicking legitimate Windows rules, and allows attackers to send keyboard/mouse input while streaming the screen.

Origins and Code Reuse
Analysis shows that GigaWiper is not a monolithic creation but a consolidation of at least three earlier malware families. The wiping logic in commands 1 and 12 mirrors FlockWiper, a C‑based wiper first seen in mid‑2025; GigaWiper reimplements FlockWiper’s flow in Golang, preserving many identical strings and adding multi‑pass secure wiping in command 12. The ransomware‑like encryption routine in command 3 is directly sourced from the Crucio ransomware documented by CISA in December 2023, sharing the same function names (BigBangExtortMain) and the characteristic of generating random, unsaved encryption keys. Throughout the backdoor, references to the string “GRAT” appear in function names and in PDB paths of FlockWiper samples (A:\GRAT\CWipeNew\Release\CWipeNew.pdb, etc.), suggesting a common development framework or internal toolset used by the threat actor.

Defensive Measures
Organizations can reduce the risk posed by GigaWiper through a layered approach:

  • Enable tamper protection in Microsoft Defender Antivirus to block attackers from disabling security services.
  • Activate cloud‑delivered protection to leverage machine‑learning models that detect novel variants.
  • Run Endpoint Detection and Response (EDR) in block mode so malicious artifacts are quarantined even if traditional AV misses them.
  • Use full automated investigation and remediation in Defender for Endpoint to accelerate containment.
  • Deploy specific attack‑surface‑reduction rules (e.g., block abuse of WMI, restrict scheduled task creation, limit access to LSASS, and prevent unauthorized registry modifications) available in Microsoft Defender XDR.
  • Maintain up‑to‑date threat‑intelligence feeds and block traffic to known C2 IPs (185.182.193.21, 212.8.248.104) at the firewall or proxy level.

Indicators of Compromise
The following IOCs have been associated with GigaWiper and its predecessors:

  • SHA‑256 hashes – GigaWiper backdoor: 633d4cbd496b1094495da89a64f5e6c31a0f6d4d1488411db5b0cba1cfe42001, ce9ad5f6c12019f4aae5b189bd8ddf5bb09e75b06a0a587b25a855c65948c913, f622ed85ef31ad4ab973f4e74524866fe1bb44f0965ad2b2ad796cd657a05bfd, 9706a192e2c1a1faaf0a521daf31c2af60ff4590e3f47bbb4abc227f42af06830683; standalone wiper:3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f23`.
  • Standalone wiper: 3c30deb6556a94cfb84ae51798f4aecfae8c7358e55fdb321c5f2376579631cd.
  • Crucio sample: 440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3.
  • FlockWiper samples: 12c39f052f030a77c0cd531df86ad3477f46d1287b8b98b625d1dcf89385d721, db41e0da7ab3305be8d9720769c6950b4dc1c1984ef857d3310eb873a0fc7674.
  • C2 IP addresses: 185.182.193.21 (RabbitMQ 5544 / Redis 7542) and 212.8.248.104.

Security teams should search for these hashes in endpoint telemetry, monitor outbound connections to the listed IPs, and hunt for the registry key HKCU\SOFTWARE\OneDrive\Environment and the scheduled task “OneDrive Update”.

Conclusion
GigaWiper exemplifies a growing trend among threat actors: consolidating disparate malicious functions into a single, modular backdoor to increase operational flexibility while minimizing the number of distinct files deployed. By merging code from FlockWiper and Crucio, the actor gains both reliable disk‑wiping capabilities and a convincing ransomware façade that guarantees data loss. The implant’s persistence, versatile C2 channels, and extensive command set enable long‑term espionage, data destruction, and remote control. Defenders must therefore adopt comprehensive mitigations—tamper protection, cloud‑based AV, EDR in block mode, and targeted ASR rules—while leveraging the provided IOCs to detect and eradicate this threat. Continued monitoring of the actor’s tooling evolution will be crucial as they likely recycle and refine these components in future campaigns.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here