Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Wiper Used in Attack on Iran National Media Network

An analysis of a January attack targeting Iran’s national media corporation has found the use of multiple malware families, including a data-wiper and custom backdoors.

An analysis of a January attack targeting Iran’s national media corporation has found the use of multiple malware families, including a data-wiper and custom backdoors.

The recent attack was part of a big wave of assaults on the Iranian critical infrastructure, which included a July 2021 attack on the national railway and cargo services and an October attack on the country’s gas stations network – both claimed by the hacking group ‘Predatory Sparrow’.

In August 2021, a hacktivist group released security camera footage depicting prisoner abuse within the Evin prison. On February 7, 2022, footage from the Ghezel Hesar prison was released to the public.

In a new report, security vendor Check Point notes that the attackers attempted to disrupt the broadcasting network by deploying data-wiping malware.

[ READ: Mysterious MeteorExpress Wiper Linked to Iran Train Cyberattack ]

Check Point said it was unable to establish the intrusion vector, but discovered that the attackers used a .NET-based executable to play a ‘malicious’ video file in a loop and employed a batch script to kill any processes associated with and delete the executable of TFI Arista Playout Server, the software that IRIB uses for broadcasting. Similar techniques were used to hijack a different TV stream and an audio stream.

Two identical .NET samples used in the attack were employed to completely erase the computer drives and MBR (master boot record). The malware can fully overwrite targeted files and can also delete backups, kill processes, clear Windows Event Logs, and change user passwords.

Check Point identified three backdoors used in the attack: one designed to take screenshots – with a variant also capable of executing commands –, and two others designed to download/upload files, run commands in cmd, proxy connections, and to manipulate local files.

[ READ: Iran Hackers Using PowerShell Backdoor Linked to Memento Ransomware ]

Based on various artifacts within the analyzed samples, Check Point was able to connect the malicious tools to the same cluster of activity.

“The use of wiper malware in the attack against a state entity in Iran begs us to compare the tools with those belonging to Indra, which […] is responsible for unleashing a wiper in the Iranian Railways and Ministry of Roads systems. Although these wipers are coded and behave very differently, some implementation details […] suggest that the attackers behind the IRIB hack may have been inspired by previous attacks that happened in Iran,” Check Point said in its latest report.

Another possibility is that attackers had help from the inside, given that they used rather low-quality and unsophisticated tools, but were able to “pull off a complicated operation to bypass security systems and network segmentation.”

Check Point also notes that, while the exact damage caused by the attack is yet unknown, MEK-affiliated news suggested recently that more than 600 servers and broadcasting, production, and archive equipment might have been destroyed in the attack.

Related: Iran-Linked Hackers Attack Israeli Targets 

Related: US Takes Down Iran-linked News Sites, Alleges Disinformation

Related: New Iranian Group ‘Agrius’ Launches Destructive Cyberattacks on Israeli Targets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.