LowEraser | |
Type of Malware | Partition Wiper |
Addittional names | No-Justice Wiper |
Date of initial activity | 2023 |
Country of Origin | Iran |
Associated Groups | Void Manticore |
Targeted Countries | Albania |
Motivation | To cause significant disruption and destruction to targeted systems by obliterating the partition table |
Attack Vectors | Partition wipers can spread through various vectors, including phishing emails, malicious downloads, or exploiting vulnerabilities in software and network protocols |
Targeted System | Windows and potentially Linux, depending on its implementation. |
Overview
The Low Eraser malware, used by the Void Manticore threat actor, is a destructive tool designed to permanently delete data on targeted systems. Unlike ransomware, which encrypts data and demands a ransom for its decryption, Low Eraser focuses on wiping data to cause irreversible damage and operational disruption.
Low Eraser typically gains initial access to systems through similar vectors as other malware, such as phishing emails with malicious attachments, drive-by downloads from compromised websites, or exploiting software vulnerabilities. Once the malware is executed, it begins its destructive process by systematically overwriting files on the infected system. This overwriting ensures that the original data cannot be recovered, even with advanced forensic tools.
The malware targets a wide range of file types and directories, including user documents, system files, and backups. By erasing these critical files, Low Eraser renders the affected systems inoperable, leading to significant downtime and data loss. The primary goal of this malware is to disrupt the victim’s operations, inflict financial damage, and create chaos.
Low Eraser’s attack often includes measures to evade detection and delay response. It may use techniques such as code obfuscation and anti-debugging to avoid being caught by security software. Additionally, the malware may delete system logs and other traces of its presence to hinder incident response efforts and forensic investigations.
Targets
Albanian critical infrastructure, government entities, and large corporations
How they operate
Once Low Eraser gains access to a system, it executes its payload, which systematically overwrites files with random data. This overwriting process ensures that the original content cannot be retrieved, even with advanced forensic recovery tools. The malware targets a comprehensive range of files and directories, including user documents, system files, and backups, effectively crippling the affected system. By erasing these critical files, Low Eraser disrupts the victim’s operations, leading to prolonged downtime and significant financial losses.
To evade detection, Low Eraser employs several sophisticated techniques. It may use code obfuscation to disguise its presence and anti-debugging methods to prevent analysis by security researchers. Additionally, the malware often deletes system logs and other forensic traces, making it challenging for incident response teams to understand the scope of the attack and the methods used. This combination of evasion tactics and destructive capabilities makes Low Eraser a formidable threat.
Preventing and mitigating the impact of Low Eraser requires a multi-faceted approach. Organizations should prioritize robust email security measures to filter out phishing attempts and block malicious attachments. Regular updates and patch management are essential to close vulnerabilities that the malware might exploit. Implementing advanced endpoint protection and behavior-based detection solutions can help identify and stop the destructive actions of Low Eraser before it causes irreparable damage.
MITRE tactics and techniques
Initial Access (TA0001):
Phishing (T1566): Attackers use phishing emails with malicious attachments or links to deliver the ransomware payload.
Drive-by Compromise (T1189): Victims unknowingly visit compromised websites that automatically download ransomware.
Execution (TA0002):
Malicious File Execution (T1204): The ransomware executes upon opening a malicious file or attachment.
User Execution (T1204.002): Execution of malware by tricking the user into running the malicious file.
Persistence (TA0003):
Boot or Logon Autostart Execution (T1547): The ransomware ensures persistence by modifying the MBR, which is executed during the boot process.
Privilege Escalation (TA0004):
Exploitation for Privilege Escalation (T1068): The ransomware may exploit vulnerabilities to gain higher privileges.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): Using crypters and packers to evade detection by security software.
Modify Registry (T1112): Changing registry entries to disable security tools or alter system behavior.
Indicator Removal on Host (T1070): Deleting logs and other artifacts to remove traces of the attack.
Credential Access (TA0006):
Credential Dumping (T1003): Accessing stored credentials to further the attack.
Discovery (TA0007):
System Information Discovery (T1082): Gathering information about the system to tailor the attack.
File and Directory Discovery (T1083): Identifying important files and directories to target.
Lateral Movement (TA0008):
Remote File Copy (T1105): Copying malicious files to other systems on the network.
Collection (TA0009):
Data from Local System (T1005): Collecting files and data from the compromised system.
Exfiltration (TA0010):
Exfiltration Over C2 Channel (T1041): Sending collected data to Command and Control servers.
Impact (TA0040):
Data Encrypted for Impact (T1486): Encrypting files and the MBR to render the system unusable until a ransom is paid.
Inhibit System Recovery (T1490): Disabling or deleting system recovery features to prevent the victim from easily restoring the system.
