Targeted attacks have been around for a number of years, that attempts to breach the security measures of an organization. Each targeted attack uses its own aspects to steal valuable information of the targeted organization. In addition, CERTCC.IR has discovered a targeted attack that wipes files stored on the hard disks.
Overview of the Attack
The infection occurs when user executes a self-extracting RAR file (Initial dropper) which installs additional malwares on to the victim’s machine.
This is a very simple attack. The attacker has used the BAT files to perform the sequence of malicious activities. Some BAT2EXE conversion tool has been used to turn these BAT files in to executable files.
The malicious payload first checks for the date on the victim’s machine and if matched to the below listed dates (mm-dd-yyyy), it then waits for 50 minutes and starts wiping the files in the below mentioned logical drives.
List of drives checked:
- D
- E
- F
- G
- H
- I
This malware triggers the delete operation only on specific dates which could be triggered till the year 2015.
2012 |
2013 |
2014 |
2015 |
12-10-2012 | 01-21-2013 | 02-03-2014 | 02-02-2015 |
12-11-2012 | 01-22-2013 | 02-04-2014 | 02-03-2015 |
12-12-2012 | 01-23-2013 | 02-05-2014 | 02-04-2015 |
05-06-2013 | 05-05-2014 | ||
05-07-2013 | 05-06-2014 | ||
05-08-2013 | 05-07-2014 | ||
07-22-2013 | 08-11-2014 | ||
07-23-2013 | 08-12-2014 | ||
07-24-2013 | 08-13-2014 | ||
11-11-2013 | |||
11-12-2013 | |||
11-13-2013 |
In addition, this malware has the capability to delete files in %UserProfile%\Desktop location. Finally, it runs chkdsk on the above mentioned drives.
The intent of this malware remains quiet straight, our initial analysis shows that this malware has no connection to previous attacks such as Stuxnet, Skywiper and Gauss. McAfee detects these malwares as “batchwiper” and the initial dropper as “batchwiper.dr“.