Security firm Mitsui Bussan Secure Directions (MBSD) reported a malware sample that appears to be targeted at Japanese users and aims to wipe files on infected systems.
The discovery of the wiper takes place two days before the opening ceremony of the 2021 Tokyo Olympics.
The wiper doesn’t just wipe out all of a computer’s sensitive data, but searches for certain file types located in a user’s personal Windows folder at “C:/Users/<username>/.” Microsoft Office files are usually deleted by the malware, researchers noted, and also TXT, LOG, and CSV files which often contain logs, databases, passwords and other system data. The wiper also targets files that are created with the Japanese word processor called Ichitaro. That’s why it’s believed that it was specifically created to target devices in Japan.
Targeted extensions are DOTM, DOTX, PDF, CSV, XLS, XLSX, XLSM, PPT, PPTX, PPTM, JTDC, JTTC, JTD, JTT, TXT, EXE, and LOG.
Other features of the wiper include its anti-VM detection techniques and its ability to wipe itself.
A peculiar feature is that the Wiper also accesses the XVideos adult video portal by the help of cURL app. The MBSD team believes that this behavior was added to trick forensic investigators into thinking that the user got infected and their files got wiped while surfing porn sites.
The MBSD team said that the file that caused the issue was a Windows EXE that was configured to display as a PDF file. The file was named [Urgent] Damage report regarding the occurrence of cyber attacks, etc. associated with the Tokyo Olympics.exe.
“Since this malware is disguised using a PDF icon and only targets data under the Users folder, it is believed that the malware is intended to infect users who do not have administrator privileges,” MBSD researchers Takashi Yoshikawa and Kei Sugawara wrote yesterday.
Only two copies of this particular malware was discovered, and the first one was uploaded to VirusTotal on July 20.
The discovery of the wiper came a day after the FBI warned about the possibility of cyberattacks during the Tokyo Olympics.
During the last two Olympic Games, there were cyberattacks carried out by Russia’s military hackers.
When Russia was accused of running a massive state-sponsored doping program and Russian athletes were banned to compete during the 2016 Summer Olympics under the Russian flag, the state-backed hacker group known as APT28 leaked files related to the World Anti-Doping Agency’s investigation in an act of revenge. After the ban on Russian hackers was extended for the 2018 Winter Olympics, they deployed the Olympic Destroyer Wiper during the opening ceremony in an attempt to disrupt the ceremony.
