Microsoft has dissected a destructive Windows backdoor named GigaWiper, a sophisticated malware that integrates three older destructive tools into one. This backdoor allows attackers to choose from three different destructive commands: wiping the disk entirely, overwriting the Windows drive, or running fake ransomware that encrypts files without saving the key. This makes GigaWiper a powerful tool for attackers who have already infiltrated a system, emphasizing the need for early detection and reliable offline backups. The same malicious files have been identified under another name, BLUERABBIT, by Binary Defense, with both firms noting the same command servers. Google’s Threat Intelligence Group links the malware to a likely Iran-affiliated group targeting Israeli organizations, although Microsoft has not officially named any country. GigaWiper, written in Go and running on Windows, not only destroys data but can also spy on infected PCs, capturing screenshots and keystrokes, and even starting hidden VNC sessions. It poses as OneDrive to avoid detection, using legitimate business services like RabbitMQ, Redis, and MinIO for command traffic, making it difficult to discern in network traffic. The malware’s fake ransomware code traces back to Crucio, and the multi-pass wiper to FlockWiper, suggesting they share a developer. Microsoft discovered a recurring tag linking these tools, hinting at an ongoing development process. The tactic mirrors the infamous NotPetya attack from 2017, where ransomware was used as a disguise for data destruction. For defenders, the challenge is clear: with a tool like GigaWiper that can both spy and destroy, understanding the attacker's intent becomes more complex. Microsoft advises enabling tamper protection, blocking known command servers, and using endpoint detection in block mode as part of a comprehensive defense strategy.
GigaWiper: The Destructive Windows Backdoor Unveiled
GigaWiper backdoor combines disk-wiping, overwriting, and fake ransomware behaviors to deliver destructive Windows intrusions.


