Computer systems in Iran are being targeted by a new strain of malware that is capable of wiping disk partitions clean of files. Security researchers are calling the attacks simplistic, yet effective.
Researchers at Kaspersky Lab said the malware launches only on pre-determined dates and will delete all files on drives D through I. It also deletes user profiles and will wipe all files on the computer’s desktop.
“This is an extremely simplistic attack,” Kaspersky Lab researcher Roel Schouwenberg said. “The attacker wrote some BAT files and then used a BAT2EXE tool to turn them into Windows PE files.”
Once a partition has been wiped clean, the malware will run the chkdsk command against the machine to check the status of the infected drive, perhaps to make the attack look like a system or hardware failure.
The list of dates is as follows:
- 12/10-12/2012
- 1/21-23/2013
- 5/6-8/2013
- 7/22-24/2013
- 11/11-13/2013
- 2/3-5/2014
- 5/5-7/2014
- 8/11-13/2014
- 2/2-4/2015
Kaspersky researchers continue to examine the files; they are being detected as Win.32.Maya.a. Schouwenberg said there have been no samples collected from the wild. The malware was reported Sunday by Iran’s Maher Center, the country’s CERT organization.
“It is not considered to be widely distributed,” Maher’s alert said. “This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks.”
The Maher Center identified the dropper as GrooveMonitor.exe, as well as four other executable files.
Schouwenberg also said there is no immediate connection to any previous such attacks.
“Other than the geographic region, there doesn’t seem to be any commonality with this file-deleting malware and the previous attacks we’ve seen,” Schouwenberg said. “Even though the code is extremely simplistic, it looks like the author managed to slip in a mistake by not deleting a line of old code.”
The giveaway is a 16-bit SLEEP file that won’t run on 64-bit Windows machines.
“This is as basic as it gets,” Schouwenberg said. “But if it was effective, that doesn’t matter. If it wasn’t clear already, the era of cyber sabotage has arrived.”
Data-wiping malware has been targeting Middle Eastern organizations for some time. The most destructive was Shamoon, which attacked 30,000 workstations at the Aramco oil facility in Saudi Arabia. Shamoon not only destroyed data on the computers it infected but was able to infect and overwrite the master boot record, rendering the workstations useless. No oil production, however, was affected by the attack.
Shamoon also stole data from the computers it infected and connected via a backdoor to a third-party system, using another machine on the Aramco network as a proxy.
Researchers at Kaspersky looking at some of the first samples of Shamoon noticed a few strings of code that referenced the Wiper malware, though no conclusive connection was ever made between the two. Wiper surfaced in April, attacking computers in Iran and destroying data on those computers. As with this latest malware, Wiper was wiping certain disk partitions.
The analysis of Wiper led Kaspersky researchers to discover the Flame malware. Wiper was extremely difficult to trace because it was so destructive to the machines it infected. What traces that did remain were enough to be able to recover a copy of the registry hive. The researchers found files with similar names to those used by Duqu and eventually learned that the wiping pattern used by Wiper was similar to other destructive pieces of malware.
