Iranian Cert issues warning over fresh 'wiping' malware

News by Dan Raywood

Malware that has the ability to 'wipe' its actions has been detected in the Middle East.

Malware that has the ability to ‘wipe' its actions has been detected in the Middle East.

According to research by AlienVault, the malware is a self-extracting RAR file with the name GrooveMonitor.exe that has code to delete files on different drives on specific dates. When the bat file is executed, the juboot.exe file is deleted as well as the GrooveMonitor.exe executable that resides in the start menu folder.

“The bat files checks the system date and if it matches one of the predefined dates, it executes the wiping routine. This routine checks for system drives and it then deletes every file on those drives. Finally, it deletes the user profile folder,” the company said.

Jaime Blasco, labs manager at AlienVault, said: “When the installer is executed, it adds a registry entry that ensures the malware's persistence across system reboots and creates a Windows batch file containing the data wiping routine.

Due its use of batch files - script files to be executed by the Windows shell program - the malware has been dubbed ‘Batchwiper'. It is not clear how the malware is being distributed. The dropper could be deployed using several vectors, ranging from spear phishing emails, infected USB drives, some other malware already running on computers, or an internal actor uploading it to network shares.

“For some reason several actors are using malware with wiping capabilities in the Middle East. I don't know the reason but we can also say that all of them - Shamoon, this new one, etc - are very simple and don't represent a serious threat. Nevertheless the malware can do a lot of damage if the wiping routines are executed.”

The Iranian computer emergency readiness team (Cert) has issued an advisory, which acknowledged research that the malware wipes files on different drives in various predefined times.

It said: “Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognised by anti-virus software. However, it is not considered to be widely distributed.

“This targeted attack is simple in design and it is not similar to the other sophisticated targeted attacks.”

Earlier this year, Kaspersky Lab warned of the ‘Wiper' malware that was so well written that once it was activated, no data survived. Its forensic analysis of hard disk images that had been wiped found that the malicious program wiped the hard disks of the targeted systems and destroyed all data that could be used to identify the malware.

Tal Be'ery, web research team leader at Imperva, said that GrooveMonitor does not pose a real threat to companies as it only attacks local files and not databases or file shares.

“When all of your data gets wiped and your anti-virus proves to be worthless, do you take comfort in the fact the malware was simplistic? Indeed, this new malware raises the question – are these just singular incidents or do we witness a trend of malware designed to corrupt data rather than steal it? While all three malware attacks originated in Iran, a country of great interest for several espionage agencies around the world, only Wiper is believed to be state-sponsored,” he said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews