Iranian Broadcaster IRIB hit by wiper malware

Iranian Broadcaster IRIB hit by wiper malware

Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB), was hit by a wiper malware in late January 2022.

An investigation into the attack that hit the Islamic Republic of Iran Broadcasting (IRIB) in late January, revealed the involvement of a disruptive wiper malware along with other custom-made backdoors, and scripts and configuration files used to install and configure the malicious executables.

Researchers from CheckPoint that investigated the attack reported that the attackers used a wiper malware to disrupt the state’s broadcasting networks, damaging both TV and radio networks.

According to the experts, the effects of the attack were more serious than officially reported.

Check Point was not able to find any evidence that demonstrates a previous use of these tools, or attribute them to a specific threat actor.

During the attack, threat actors transmitted pictures of Mujahedin-e-Khalq Organization (MKO) leaders Maryam and Massoud Rajavi along with the image of Ayatollah Khamenei crossed out with red lines and  the declaration “Salute to Rajavi, death to (Supreme Leader) Khamenei!.” 

IRIB attack 2

“During a period of 10 seconds, the faces and voices of hypocrites appeared on (our) Channel One,” IRIB said.

“Our colleagues are investigating the incident. This is an extremely complex attack and only the owners of this technology could exploit and damage the backdoors and features that are installed on the systems,” Deputy IRIB chief Ali Dadi told state TV channel IRINN.

“Similar disruptions happened to the Koran Channel, Radio Javan and Radio Payam,” he added, referring to other state-affiliated broadcast channels.

The experts discovered two identical .NET samples named msdskint.exe that were used to wipe the files, drives, and MBR on the infected devices, making them unusable.

The malware has also the ability to clear Windows Event Logs, delete backups, kill processes, and change users’ passwords.

The report details the use of four backdoors in the attack:

  • WinScreeny, used to make screenshots of the victim’s computer;
  • HttpCallbackService, a Remote Administration Tool (RAT);
  • HttpService, another backdoor that listens on a specified port;
  • ServerLaunch, a C++ dropper.

Iranian officials attribute the attack to MEK, however, the opposition group itself denies any involvement.

The hacktivist group Predatory Sparrow, which claimed responsibility for the attacks against the national railway services, the transportation ministry, and the Iranian gas stations, claimed responsibility for the attack on IRIB via its Telegram channel.

“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, who, among other attacks, is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details such as execution based on batch files, or the password changing patterns ([random sequence]aA1! for this attack and Aa153![random sequence] in Indra’s case), suggests that the attackers behind the IRIB hack may have been inspired by previous attacks happened in Iran.” the researchers conclude.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, IRIB)

Leave a Reply

Your email address will not be published. Required fields are marked *