Iranian infrastructure has been on the radar of cyberattackers for a couple of years. We have already witnessed organized and sophisticated attacks such as Stuxnet, Duqu, and similar assaults. Now we have seen yet another attack against Iran, this one primarily targeting the Microsoft SQL Server databases of some Iranian financial software. This attack has been named Narilam because one of the financial applications it targets is called Maliran.
We have analyzed several samples of this malware, one of which was about 2MB. From the binaries’ headers, it looks as though this attack has been going on for a while: The Trojan was compiled with Borland C++ in 2010.
One sample, first seen in June 2012, has a timestamp of July 2002.
Although these headers could have been faked, while analyzing the code we found the date April 25, 2010, which leads us to believe that this threat has existed for more than two years.
The Iranian CERT team has published an alert for this malware, indicating that Narilam has been known since 2010 by a different name.
The installation process of this malware is fairly standard in creating the start-up registry entries and copying itself as lsass.exe into the system directory. It targets certain SQL databases and tables of the following Iranian finance and banking software.
- Maliran (integrated financial and applications software)
- Shahd (integrated financial, commercial, and retail software)
- Amin (banking software)
Narilam checks for the presence of these software and exits the infected systems if it does not find them.
Although the malware code doesn’t seem to employ any sophisticated techniques compared with its predecessors, it can connect to the specific databases via OLE DB and send SQL queries to update or delete records and drop certain tables with specific names. Here are some of the SQL queries that we’ve found in the code:
- Update Asnad Set SanadNo=@SanadNo1,LastNo=@SanadNo1,FirstNo=@SanadNo1 Where Cast(SanadNo as int)=@SanadNo and Raj=@Raj
- Set @SanadNo=(select Max(Cast(sellercod As int )) from A_Sellers
- Delete from A_Sellers Where Cast(sellercod as int)=@SanadNo
- Update A_TranSanj Set Tranid=@SanadNo1 Where Cast(Tranid as int)=@SanadNo and Raj=@Raj
- Delete from Koll Where Cast(Koll as int)=@SanadNo
- Delete from Moein Where Cast(Moein as int)=@SanadNo
- Drop table Holiday_1
- Set @SanadNo=Round(@SanadNo * (SELECT RAND(@IDLE)),0,0
- Set @Raj=(select Max(Raj) from R_DetailFactoreForosh Where Cast(SanadNoForosh as int)=@SanadNo
- Update R_DetailFactoreForosh Set SanadNoForosh=@SanadNo1 Where Cast(SanadNoForosh as int)=@SanadNo and Raj=@Raj
Here are the some of the database tables that Narilam targets for updating and deleting records:
Some of the table names dropped from the database:
Next we see the portion of the code where it tries to access SQL Server’s sysobjects table:
The binary also contains the following sequence to further corrupt the database with random values:
All the financial and banking software targeted by this malware are products of the Iranian company Tarrah Systems, which issued a warning on its website about W32.Narilam a couple of days ago. The company asked its customers to use the backups of their databases if they are using the targeted products.
While analyzing several similar samples of this malware, it seems this code was written to corrupt and delete databases accessed by these software, thereby causing potential financial losses to users. Possible targets of Narilam are corporations and banks that are likely to have these applications installed. We recommend that users of these systems regularly back up their systems, and avoid any kind of disturbance.
McAfee detects this malware as Generic.Backdoor.wc. McAfee customers with the latest antivirus definitions are already protected against these attacks.