Another data-wiping malware program found in Iran
- — 17 December, 2012 13:27
A new piece of malware that deletes entire partitions and user files from infected computers has been found in Iran, according to an alert issued Sunday by Maher, Iran's Computer Emergency Response Team Coordination Center (CERTCC).
Maher Center described the new threat as a targeted attack, but said that it has a simple design and is not similar to other sophisticated targeted attacks previously seen in the region. "Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the center said in its advisory.
Several security companies have confirmed Maher's findings and said the threat is unsophisticated.
The malware is designed to delete all data from disk partitions identified with letters D to I, as well as files located on the desktop of the currently logged in user, security researchers from antivirus vendor Symantec said Monday in a blog post.
The malware initiates its data wiping routine on certain dates, the next one being Jan. 21 2013. However, the dates of Oct. 12, Nov. 12 and Dec. 12, 2012, were also found in the malware's configuration, suggesting that it may have been in distribution for at least two months.
The Maher Center said the malware's installer, also known as the dropper, is called GrooveMonitor.exe. That filename was likely chosen as a disguise because it is normally associated with a legitimate Microsoft Office 2007 document collaboration feature called Microsoft Office Groove.
According to an analysis of the new threat by researchers from security firm AlienVault, when the installer is executed, it adds a registry entry that ensure the malware's persistence across system reboots and creates a Windows batch file containing the data wiping routine.
Because of its use of batch files -- script files to be executed by the Windows shell program -- the malware has been dubbed "Batchwiper."
It's not clear how the malware is being distributed. The dropper could be deployed using several vectors, ranging from spearphishing emails, infected USB drives, some other malware already running on computers, or an internal actor uploading it to network shares, AlienVault Labs manager Jaime Blasco said via email.
Despite the fact that this malware is not sophisticated, if its wiping routines are executed, it can do a lot of damage, Blasco said.
Batchwiper is not the first data wiping malware found in the Middle East. Earlier this year, an investigation into a mysterious piece of malware that reportedly destroyed data from Iranian energy sector servers led to the discovery of the Flame cyberespionage threat.
In August, security researchers identified another unrelated piece of malware with data wiping capabilities called Shamoon. The malware is believed to have been used in an attack against Saudi Aramco, Saudi Arabia's national oil company, and affected of thousands of computer systems.
"Kaspersky Lab is currently researching the latest form of data wiping malware that was reported on December 16, 2012 by the Iranian Maher CERT," a representative of Kaspersky Lab said Monday via email. "Preliminary analysis suggests the malware is unsophisticated and does not appear to be related to the Wiper or Shamoon/DistTrack malware from earlier this year."
The malware nonetheless points to a trend of destructive code being used in the Middle East region.
"I do agree that this is not common in other parts of the world, and it can suggest that in the Middle East it might be easier for attackers to decide to take such actions to cover their tracks," Aviv Raff, chief technology officer of Israel-based IT security firm Seculert said via email. Seculert researchers have analyzed Batchwiper and confirm that it doesn't appear to have any direct connection to Shamoon, he said.