An anti-Israel & pro-Palestinian data wiper called IsraBye has been discovered that pretends to be a ransomware. Unfortunately, even though the lock screen implies that the files can be recovered, the contents of the files are actually replaced with an anti-Israel message. 

Discovered first by Avast security researcher Jakub Kroustek at the end of July, I missed seeing this tweet, until other researchers such as Ari Eitan and Ido Naor started tweeting about it. As it looked interesting, I decided to take a look and create a video demonstrating the functionality of IsraBye.

The timing surrounding IsraBye's appearance isn't an accident. The wiper was spotted shortly after the onset of the Al Aqsa crisis; a political incident set off by Israel officials installing new security measures at the Al Aqsa mosque in Jerusalem, which Palestinians considered an intrusive expansion of control over one of Islam's holiest sites.

IsraBye is a Modular Malware

The IsraBye data wiper is modular, which means that instead of being one malware executable, the functionality of the wiper is spread among 5 different executables. The first executable, is the launcher and wiper called IsraBye.exe. When launched, IsraBye.exe will silently begin to destroy the files on all attached drives by replacing their contents with the string:

Fuck-israel, [username] You Will never Recover your Files Until Israel disepeare

When wiping the files, it will actually destroy the contents of the files rather than encrypting them. When IsraBye.exe finishes wiping the data on all of the drives, it will extract 4 files called Cry.exe, Cur.exe, Lock.exe, and Index.exe from the IsraBye.exe executable and launch them. Each of these files perform a different function, which is described below.

The Cry.exe executable will change the desktop's wallpaper to an image that I am assuming is anti-Israel or pro-Palenstinian.

IsraBye Wallpaper
IsraBye Wallpaper

The Cur.exe executable will cause an image that reads "End of Israel" to become attached to and follow the mouse cursor.

Mouse Cursor
Mouse Cursor

The Lock.exe performs three functions. First it will look for the procexp64, ProcessHacker, taskmgr, procexp, xns5  processes and terminate them if they are detected. Second, it will launch Index.exe if it is not running already and finally, it will copy the main Israbye.exe file to the root of other drives as a file called ClickMe.exe in order to spread the malware. Ido Naor discovered that if you create a file called ClickMe.exe in the %Temp% folder, IsraBye crashes when first starting.

Source Code for Spreading
Source Code for Spreading

Finally, the Index.exe executable will display the lock screen and extract a wav file and play it. This will cause a song to play as seen in the above video, which I am unsure of what it is saying, but I am assuming is not pro-Israel.

IsraBye Lock Screen
IsraBye Lock Screen

Even though this wiper states that it is possible to recover your files, unfortunately this is not the case. The only way to recover your files is through a backup, restoring from shadow volume copies, or by using a file recovery software.

 

Hash:

SHA256: 5a209e40e0659b40d3d20899c00757fa33dc00ddcac38a3c8df004ab9051de0d