Batchwiper is the latest malware that is targeting Iranian computers. The existence of the malware was reported by Iran’s CERTCC – Computer Emergency Response Team Coordination Center and according to reports it is designed to wipe disk partitions of data. Partitions labeled D through I are systematically erased, along with the desktop-based files of the logged on user. The malware is described as efficient, simple, and is able to operate unrecognized by antivirus.
“Latest investigation have been done by Maher center in cyber space identified a new targeted data wiping malware. Primitive analysis revealed that this malware wipes files on different drives in various predefined times. Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software. However, it is not considered to be widely distributed. This targeted attack is simple in design and it is not any similarity to the other sophisticated targeted attacks..”
Reports are coming in from a number of sources regarding its behavior. AlienVault shared the details on how Batchwiper remains persistent through registry modification.
The piece of code is very simple and it deletes files on different drives on specific dates.
The original dropper is a self-extracting RAR file with the name GrooveMonitor.exe. Once executed it extracts the following files:
\WINDOWS\system32\SLEEP.EXE, md5: ea7ed6b50a9f7b31caeea372a327bd37
\WINDOWS\system32\jucheck.exe, md5: c4cd216112cbc5b8c046934843c579f6
\WINDOWS\system32\juboot.exe, md5: fa0b300e671f73b3b0f7f415ccbe9d41
We know it’s simple, we know it’s destructive, we know it’s persistent. What people are asking about now is how the malware is actually spreading. It could be anything from sneaker-net, spear-phishing, or as AlienVault adds:
We don’t have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion.
Here’s the interesting thing – there is currently a very loose association being suggested that this is the latest targeted attack by association with the Flame/Duqu/Stuxnet family of cyberwarfare tools. The only certified common factor is that infections are being reported from Iranian computers. This latest turn in which data is being destroyed in such a specific way, on specific dates, while evading detection really starts to paint the picture that of the infection vector choices, it makes the most sense that this is a second-stage component of a larger attack. Most certainly we will hear more about this in the weeks to come and other news in the coming year.