The Hacker News reports that Microsoft has detailed a destructive Windows backdoor known as GigaWiper, which is notable for its modular construction, combining three distinct destructive tools into a single, operator-selectable package. This malware is deployed after an attacker has already gained initial access to a system, making early detection and secure, offline backups crucial for defense.GigaWiper, written in Go, operates on Windows and presents operators with numbered commands, three of which are designed for system destruction. These include a raw disk wiper that overwrites the physical drive and partition table, a fake ransomware module (based on Crucio) that encrypts files with a non-recoverable key, and a wiper targeting the Windows drive by overwriting it multiple times. The malware also possesses backdoor capabilities, allowing it to take screenshots, record screen activity, and establish hidden VNC sessions. It collects system details, manages processes, and can manipulate event logs to conceal its presence.GigaWiper disguises itself as OneDrive and uses legitimate services like RabbitMQ, Redis, and MinIO for command and control traffic, making it harder to detect. Microsoft links the fake ransomware code to Crucio and the wiper to FlockWiper, suggesting a single developer. Crucio has been previously associated with Iran-nexus groups targeting Israeli organizations. The tactic of posing as ransomware while performing destructive actions, similar to NotPetya, aims to buy attackers time by misdirecting defenders.Source: The Hacker News




