Microsoft Details GigaWiper, a Modular Windows Backdoor Built for Destruction
Microsoft has analyzed a Windows backdoor that combines disk wiping, irreversible file encryption, surveillance and remote-control features in a single modular package. The company calls the Golang-ba...
Microsoft has analyzed a Windows backdoor that combines disk wiping, irreversible file encryption, surveillance and remote-control features in a single modular package. The company calls the Golang-based malware GigaWiper and says it has been observed in attacks since at least October.
Threat researchers identified two GigaWiper variants in victim environments. One is a standalone wiper that works directly against physical disks, overwriting raw storage data and deleting partition information before forcing the computer to restart. The second sample includes those capabilities as one part of a broader backdoor.
The backdoor establishes persistence and communicates with its operators through RabbitMQ over the Advanced Message Queuing Protocol. Redis is used to update command status and results. Its functions are organized into command groups, including tasks that run continuously, system-management operations, shell execution and specialized destructive actions.
Multiple paths to data loss
Among the available commands is one that disables Windows recovery features and can deliberately trigger a blue screen, leaving the system unable to boot. Another component, derived largely from Crucio ransomware, encrypts files with randomly generated keys that are not retained. That design prevents victims from recovering the affected files through decryption.
GigaWiper also includes bulk encryption and decryption using AES-256 in Cipher Block Chaining mode, as well as a MinIO Client-based function for transferring stolen data to remote storage. Additional capabilities include PowerShell execution, screenshots, continuous screen recording, system-information collection, Windows event-log clearing and remote keyboard and mouse control.
Microsoft said the tool brings together elements from at least three previously distinct malware families: Crucio ransomware, a Go-based implementation of FlockWiper and a separate disk wiper. The consolidation gives operators both extortion-style and destructive options, although the company did not disclose how many organizations have been affected or identify the attackers.
The findings indicate that destructive malware is evolving beyond single-purpose wiping tools. By packaging disruption, surveillance, data theft and irreversible encryption into one backdoor, operators can select or combine actions after gaining access to a system.
