Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware
The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.
The findings come from cybersecurity company ClearSky, which said the Windows-based malware “crashes the operating system in a way that it cannot be rebooted.”
The intrusions have been attributed to an Iranian “psychological operation group” known as Homeland Justice, which has been active since July 2022, specifically orchestrating destructive attacks against Albania.
On December 24, 2023, the adversary resurfaced after a hiatus, stating it’s “back to destroy supporters of terrorists,” describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People’s Mojahedin Organization of Iran (MEK).
Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.
Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that’s designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).
The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.
This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer’s RAM.
Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.
The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.
“Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks,” Check Point disclosed last month.
“By opportunistically targeting U.S. entities using…
