伊朗黑客组织发动网络攻击，以No-Justice抹消工具为武器

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.

最近针对阿尔巴尼亚组织的一波网络攻击涉及使用了一种名为No-Justice的抹消工具。

The findings come from cybersecurity company ClearSky, which said the Windows-based malware "crashes the operating system in a way that it cannot be rebooted."

这些发现来自网络安全公司ClearSky，该公司表示这种基于Windows的恶意软件"以无法重新启动的方式崩溃操作系统"。

The intrusions have been attributed to an Iranian "psychological operation group" called Homeland Justice, which has been operating since July 2022, specifically orchestrating destructive attacks against Albania.

这些入侵被归因于一个名为"Homeland Justice"的伊朗"心理行动组"，该组织自2022年7月以来一直在执行破坏性的攻击，特别是针对阿尔巴尼亚的攻击。

On December 24, 2023, the adversary resurfaced after a hiatus, stating it's "back to destroy supporters of terrorists," describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People's Mojahedin Organization of Iran (MEK).

2023年12月24日，对手在休战后再次出现，宣称"回来摧毁恐怖分子的支持者"，将其最新活动称为#DestroyDurresMilitaryCamp。阿尔巴尼亚城市杜勒斯（Durrës）目前是伊朗人民摩加迪尼组织（MEK）的驻地。

Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.

攻击的目标包括ONE Albania、Eagle Mobile Albania、Air Albania和阿尔巴尼亚议会。

Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that's designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).

在此次攻击中使用的两个主要工具包括一个可执行的抹消工具和一个设计用于在启用Windows远程管理（WinRM）后将前者传播到目标网络中其他计算机的PowerShell脚本。

The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.

No-Justice抹消工具（NACL.exe）是一个220.34 KB的二进制文件，需要管理员权限来擦除计算机上的数据。

This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer's RAM.

这是通过从主引导记录（MBR）中删除引导签名来实现的，MBR是硬盘的第一个扇区，标识操作系统在硬盘上的位置，以便加载到计算机的RAM中。

Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

在攻击过程中还使用了诸如Plink（又名PuTTY Link）、RevSocks和Windows 2000资源工具包等合法工具，以促进侦察、横向移动和持久的远程访问。

The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.

这一发展发生在诸如Cyber Av3ngers、Cyber Toufan、Haghjoyan和YareGomnam Team等亲伊朗的威胁行动组织越来越将目标对准以色列和美国，与中东地区持续的地缘政治紧张局势相关。

"Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks," Check Point disclosed last month.

Check Point上个月披露"像Cyber Av3ngers和Cyber Toufan这样的团体似乎正在采取报复性的叙事进行网络攻击"。

"By opportunistically targeting U.S. entities using Israeli technology, these hacktivist proxies try to achieve a dual retaliation strategy – claiming to target both Israel and the U.S. in a single, orchestrated cyber assault."

"通过机会主义地利用以色列技术来针对美国实体，这些网络活动代理试图实现一种双重报复策略 - 在单一的、协调的网络攻击中声称同时瞄准以色列和美国。"

Cyber Toufan, in particular, has been linked to a deluge of hack-and-leak operations targeting over 100 organizations, wiping infected hosts and releasing stolen data on their Telegram channel.

特别是Cyber Toufan被链接到大量的黑客和泄漏行动，针对100多个组织，清除感染主机并在其Telegram频道上发布窃取的数据。

"They've caused so much damage that many of the orgs – almost a third, in fact, haven't been able to recover," security researcher Kevin Beaumont said. "Some of these are still fully offline over a month later, and the wiped victims are a mix of private companies and Israeli state government entities."

"他们造成了很大的破坏，事实上许多组织中有近三分之一到目前为止仍然无法恢复。其中一些一个多月后仍然完全脱机，并且被抹掉的受害者包括私营公司和以色列国家政府实体。"安全研究员Kevin Beaumont说。

Last month, the Israel National Cyber Directorate (INCD) said it's currently tracking roughly 15 hacker groups associated with Iran, Hamas, and Hezbollah that are maliciously operating in Israeli cyberspace since the onset of the Israel-Hamas war in October 2023.

上个月，以色列国家网络指导局（INCD）表示，自2023年10月以来，与伊朗、哈马斯和真主党有关的大约15个黑客组织在以色列网络空间恶意活动。

The agency further noted that the techniques and tactics employed share similarities with those used in the Ukraine-Russia war, leveraging psychological warfare and wiper malware to destroy information.

该机构进一步指出，采用的技术和策略与乌克兰-俄罗斯战争中使用的相似，利用心理战和抹消恶意软件来破坏信息。

原文始发于微信公众号（知机安全）：伊朗黑客组织发动网络攻击，以No-Justice抹消工具为武器