Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Government
Iranian APT Used No-Justice Wiper in Recent Albanian Attacks
Reports Say Attempts to Delete Data in the Attacks Were UnsuccessfulIranian hackers targeted the Albanian Parliament using the No-Justice Wiper and other commonly used tools.
See Also: OnDemand | Endpoint Security: Defending Today's Workforce Against Cyber Threats
Researchers suspect hackers also used tools such as PuTTY Link, Revsocks and the Windows 2000 resource kit, which helped in reconnaissance, lateral movement and targeting a telecommunications service provider
Albanian organizations faced a new wave of cyberattacks on Christmas Day. The most notable incident hit Parliament's infrastructure. Hackers once again attempted to delete data during the attack "although their efforts were ultimately unsuccessful," local media claimed (see: Iranian Hackers Claim They Disrupted Albanian Institutions).
Iranian advanced persistent threat actor Homeland Justice claimed responsibility for the attack and shared a video snippet on its Telegram channel. Israeli firm ClearSky Cyber Security located fully matched code snippets shown in the video with a PowerShell script and tracked the indicators of compromise to an NACL.exe
file that was used in the hack.
At the time of its discovery, only two antivirus engines flagged this file as malicious on malware database service VirusTotal. As of Friday 8:00 a.m. ET, 29 vendors have flagged it as malicious.
In a postmortem of the campaign and its IoCs released Thursday, ClearSky identified the data wiper used in the campaign as No-Justice. The cybersecurity firm detected the use of two main tools in the campaign - the wiper and a PowerShell code.
The malware performs several actions including loading a library, receiving addresses for API functions and ultimately wiping computer disks.
The malicious file has a unique icon and a still-valid digital signature signed by Attest Inspection Limited, a technology-based contemporary assessment solutions provider. In the first Homeland Justice attack, the No-Justice Wiper also had a valid digital signature from "Kuwait Telecommunications Company KSC," indicating a consistent methodology of making malicious files appear legitimate.
The PowerShell file p.ps1
was not present on VirusTotal at the time of discovery and is still flagged as malicious by only two antivirus engines, including Eset.
This script checks if a machine is reachable; tests if WinRM, a remote management protocol for Windows servers, is enabled on that machine and, if not, attempts to enable it; creates a PowerShell session; and copies and optionally executes a file on a target machine. The script is written in a way that it enables PowerShell scripts to run in parallel on multiple machines.
"We assess that the PowerShell runs from the domain controller server using admin privileges," ClearSky said. The wiper file also requires elevated administrator privileges "to wipe the computer."
ClearSky said that Homeland Justice used other utilities to stay under the radar and move laterally, including a version of a system admin tool designed to help with remote connection into the network that has been previously used by Iranian threat actors (see: Unpatched VPN Servers Hit by Apparent Iranian APT Groups).
Revsocks could enable attackers to establish a connection with a server via SOCKS proxy and use it for data exfiltration, command and control or maintaining persistence in a compromised network, while the W2K Reskit tool could help hackers enumerate local admins on all network computers, ClearSky said.
Albania severed diplomatic ties with Iran following a July cyberattack that disrupted the country's online governmental services portal (see: Albania Cuts Diplomatic Ties With Iran After Cyberattack).