Is it Wiper again? Not exactly !

Targeted attacks have been around for a number of years, that attempts to breach the security measures of an organization.  Each targeted attack uses its own aspects to steal valuable information of the targeted organization. In addition, CERTCC.IR has discovered a targeted attack that wipes files stored on the hard disks.

Overview of the Attack

 The infection occurs when user executes a self-extracting RAR file (Initial dropper) which installs additional malwares on to the victim’s machine.

This is a very simple attack.  The attacker has used the BAT files to perform the sequence of malicious activities. Some BAT2EXE conversion tool has been used to turn these BAT files in to executable files.

The malicious payload first checks for the date on the victim’s machine and if matched to the below listed dates (mm-dd-yyyy), it then waits for 50 minutes and starts wiping the files in the below mentioned logical drives.

List of drives checked:

  • D
  • E
  • F
  • G
  • H
  • I

This malware triggers the delete operation only on specific dates which could be triggered till the year 2015.

 

2012

2013

2014

2015

12-10-2012 01-21-2013 02-03-2014 02-02-2015
12-11-2012 01-22-2013 02-04-2014 02-03-2015
12-12-2012 01-23-2013 02-05-2014 02-04-2015
  05-06-2013 05-05-2014  
  05-07-2013 05-06-2014  
  05-08-2013 05-07-2014  
  07-22-2013 08-11-2014  
  07-23-2013 08-12-2014  
  07-24-2013 08-13-2014  
  11-11-2013    
  11-12-2013    
  11-13-2013    

 

In addition, this malware has the capability to delete files in %UserProfile%\Desktop location. Finally, it runs chkdsk on the above mentioned drives.

The intent of this malware remains quiet straight, our initial analysis shows that this malware has no connection to previous attacks such as Stuxnet, Skywiper and Gauss.  McAfee detects these malwares as “batchwiper” and  the initial dropper as “batchwiper.dr“.