Sophos Cloud Optix
On Sunday, December 16th the Iranian CERT issued an advisory warning of a new “targeted data wiping malware.”
SophosLabs analyzed these new samples and can confirm that they do in fact attempt to erase the contents of any files on the D:, E:, F:, G:, H: and I: drives.
What is less apparent is why Iran considers this malware to be targeted and, if this malware is indicative of the sophistication of their adversaries, why they are concerned at all.
The Trojan is distributed as a self-extracting WinRAR archive called GrooveMonitor.exe. Once executed it drops juboot.exe, jucheck.exe and SLEEP.EXE.
Juboot.exe and jucheck.exe appear to mask themselves as a Java autoupdate program, whereas SLEEP.EXE is not malware, but a freeware tool to delay application startup.
Juboot.exe is actually a simple DOS BAT file that has been converted to a Windows PE (Portable Executable) file using a Batch to Exe Converter. It uses SLEEP.EXE to wait for two seconds, then sets a registry key to start jucheck.exe on system boot.
Upon execution jucheck.exe waits two seconds, erases GrooveMonitor.exe and juboot.exe, then checks to see if the date matches any of the following:
10-December-2012 to 12-December-2012
21-January-2013 to 23-January-2013
06-May-2013 to 08-May-2013
22-July-2013 to 24-July-2013
11-November-2013 to 13-November-2013
3-February-2014 to 5-February-2014
5-May-2014 to 7-May-2014
11-August-2014 to 13-August-2014
2-February-2015 to 4-February-2015.
If the date matches, it waits for 50 minutes, then performs a recursive delete on the aforementioned drive letters and deletes everything from the user’s desktop.
It also attempts to start calc.exe, but fails due to a typo.
The circumstances that have led to Iran’s decision that this is a targeted attack are unknown. This is one of the most rudimentary malware samples seen in years.
Compared to other alleged state-sponsored attacks like Stuxnet, Duqu, Flame and Shamoon, this malware bears no resemblance.
We were able to discover a further variant that looks to replace jucheck.exe and is called Wmiprv.exe.
This version tries to delete GrooveMonitor.exe from C:\Documents and settings\All Users\Start Menu\Programs\Startup\ and runs in an endless loop every 50 minutes to erase the drives.
This is likely indicative of a more advanced dropper file and a way to be sure to harm machines that are not rebooted during the specified time windows.
Why Iran is drawing attention to this is anybody’s guess. It does go to show that malware doesn’t need to be sophisticated to cause trouble though. If you can execute arbitrary files, all it takes is a few lines in a batch file and some wrappers to cause serious damage.
* Troj/BatDel-B: Detects all known components and variants of this malware including:
GrooveMonitor.exe (MD5 f3dd76477e16e26571f8c64a7fd4a97b)
juboot.exe (MD5 fa0b300e671f73b3b0f7f415ccbe9d41)
jucheck.exe (MD5 c4cd216112cbc5b8c046934843c579f6)
Wmiprv.exe (MD5 b7117b5d8281acd56648c9d08fadf630)
Thank you to Gabor Szappanos and Boris Lau from SophosLabs for providing the detailed analysis of this malware.
Image of weapon pointed at Iranian flag courtesy of Shutterstock.
The Iranians are always worried about the Jews. So my guess is the naming convention of the files is what makes them think its state sponsored… juboot.exe, jucheck.exe
My guess is that the naming of the files has no racial motives.
Jucheck.exe is a valid filename used by the Java update verification process. As the malware files disguise themselves as Java update related files, it is a trivial choice for the filename.
Juboot.exe just follows the same scheme, "ju" prefix for the Java update relation, "boot" for the fact that is registers the next component for automatic start after reboot.
Perhaps they take exception to the prefix Ju?