Security researchers found an anti-Israel and pro-Palestinian data wiper which spreads as a ransomware. The new wiper is called IsraBye and it was found by the malware expert Jakub Kroustek from Avast.
According to Kroustek, even if the lock screen states that the files can be recovered, their content is replaced with an anti-Israel message.
The IsraBye wiper was found concurrently the Al Aqsa crisis triggered by the decision of Israeli authorities to install metal detectors and other security measures at the Al Aqsa mosque in Jerusalem. The Palestinians, however, rejected these measures.
The anti-Israel and pro-Palestinian wiper has a modular architecture and is composed of 5 different executables. The first one is the launcher and wiper called IsraBye.exe.
Being executed, IsraBye.exe secretly starts wiping all the attached drives by replacing their contents with the following message:
Fuck-israel, [username] You Will never Recover your Files Until Israel disepeare
In fact, the wiper doesn’t encrypt the files, but destroys them instead. When the process is complete, it extracts the files Cur.exe, Cry.exe, Lock.exe, and Index.exe from the IsraBye.exe executable and launches them.
The Cry.exe executable replaces the desktop’s wallpaper with an anti-Israel or pro-Palestinian image. Then, the Cur.exe attaches an image which included the message “End of Israel” to the mouse cursor. While the Lock.exe performs the following three functions:
– it looks for the procexp64, ProcessHacker, taskmgr, procexp, xns5 processes in order to terminate them;
– it launches Index.exe if it is not already running;
– it copies the main Israbye.exe file to the root of other drives as a file called ClickMe.exe in order to spread the malware.
According to the security expert Ido Naor, creating a file called ClickMe.exe in the %Temp% folder makes it possible to make IsraBye crash when it starts.
