New wiper malware in Iran confirms the age of cyber-sabotage

The dropper file is GrooveMonitor.exe, likely named as a disguise after the Office collaboration feature called Microsoft Office Groove. Maher describes the malware as ‘targeted’ but gives no information on the possible targets nor method of infection. The dropper name may suggest that targets are specific teams collaborating on particular work or research, and, as Roel Schouwenberg, a security expert with Kaspersky Lab comments, “the era of cyber-sabotage has arrived. Be prepared.”

The malware itself is simple but effective. It shows no similarity to the sophistication of the probably state-sponsored malware that has attacked Iran, such as Stuxnet, Flame, and the more formidable original Wiper. Nevertheless, it is effective in wiping drives D to I and the user’s desktop. 

The dropper file is an archive containing three EXEs: Sleep, Jucheck and Juboot. They create batch files (both AlienVault and Symantec call the malware ‘BatchWiper’). According to an analysis by Jaime Blasco at AlienVault, juboot attempts to create persistence with a Registry entry that executes jucheck.exe on start-up. Jucheck then creates the payload jucheck.bat. It only operates on predefined dates, but if the date qualifies, it runs through drives D to I plus the user desktop with the simple but effective command, ‘IF EXIST d:\ del “d:\*.*” /q /s /f’.

After each wipe, jucheck.bat also runs chkdsk, presumably suggests Schouwenberg, “trying to make the loss of all files look like a software or hardware failure.”

But there is what appears to be an oversight. The third EXE, sleep.exe, is 16 bit only and will not run on 64 bit machines. When it tries to execute, Windows pops up its standard ‘Program Cannot Start or Run’ alert. “This immediately gives away the malware's presence on a x64 machine,” comments Schouwenberg.

As yet, nothing is known about the attackers, the targets (apart from Iran), nor the infection vector. “We don’t have details about the infection vector but based on the dropper it could be deployed using USB drives, internal actors, SpearPhishing or probably as the second stage of a targeted intrusion,” suggest Blasco.

What’s Hot on Infosecurity Magazine?