Iran CERT recently announced that it uncovered a possible targeted attack using a malware that wipes files that will run on certain predefined time frame. They noted its efficiency in performing its routines despite its simplistic design.
The way this malware was created was also deemed unusual, as the author wrote a series of batch files then used a utility to convert it into an executable file.
Detected by Trend Micro as TROJ_BATWIPER.A, we found that this Trojan is designed to delete files found on the desktop and drives D to I, particularly those that run on these specific dates:
- December 10-12, 2012
- January 21-23, 2013
- May 6-8, 2013
- July 22-24, 2013
- November 11-13, 2013
- February 3-5, 2014
- May 5-7, 2014
- August 11-13, 2014
- February 2-4, 2015
Though lacking in technical sophistication, we found from our analysis that the Trojan was able to perform its destructive routines. This proves that even not-so-advanced malware like TROJ_BATWIPER.A can still inflict damages to systems and bring significant dents on an organization’s operations. It is also different from previous attacks we’re used to, which usually employ backdoors or malware designed to steal information from its target.
As of this writing, we cannot ascertain if this malware is related at all to Flame attacks or other well-known campaigns using file-deleting malware. We also did not find any TROJ_BATWIPER.A infection in the wild.
This file-wiping Trojan is neither the first of its kind nor the first to be used in a possible targeted attack. If readers can still recall, Wiper malware first came to prominence during the height of Flame’s discovery. Researchers were initially searching for the said file-deleting Trojan, but end up uncovering Flame, a toolkit known for its information stealing capabilities and connection to attacks targeting certain Middle Eastern countries.
The existence of Trojans like TROJ_BATWIPER.A, unfortunately, is possibly a taste of what’s about to unravel this coming 2013 (and beyond). In our 2013 Security Predictions, we foresee more cyber-attacks that modify or destroy data, even those that damage infrastructure belonging to certain countries/ regions.
Trend Micro Smart Protection Network protects users from this threat by detecting and deleting TROJ_BATWIPER.A if found on the system.