Anti-Israel and pro-Palestinian IsraBye wiper spreads as a ransomware

Malware researchers discovered an anti-Israel & pro-Palestinian data wiper dubbed IsraBye that is spreading as a ransomware.

Malware researcher Jakub Kroustek from Avast has recently discovered an anti-Israel & pro-Palestinian data wiper dubbed IsraBye. Even if the lock screen claims that the files can be recovered, their content is replaced with an anti-Israel message.

The anti-Israel wiper was discovered concurrently the Al Aqsa crisis triggered by the decision of Israeli authorities to install metal detectors and other measures at the Al Aqsa mosque in Jerusalem. The measures were refused by Palestinians.

Researchers at Bleepingcomputer have published an interesting video on the IsraBye:

The wiper has a modular architecture composed of 5 different executables. The first executable is the launcher and wiper called IsraBye.exe. When executed IsraBye.exe silently begin to wipe all attached drives by replacing their contents with the following message:

Fuck-israel, [username] You Will never Recover your Files Until Israel disepeare

The wiper doesn’t encrypt the file, but destroy them and once completed the process, it extracts the files Cry.exe, Cur.exe, Lock.exe, and Index.exe from the IsraBye.exe executable and launches them.

The Cry.exe executable replaces the desktop’s wallpaper with an anti-Israel or pro-Palestinian image.

IsraBye wallpaper (Source Bleepingcomputer)

The Cur.exe attaches an image that included the message “End of Israel” to the mouse cursor.

The Lock.exe performs the following three functions:

it will look for the procexp64, ProcessHacker, taskmgr, procexp, xns5 processes in order to terminate them.
it will launch Index.exe if it is not already running.
it will copy the main Israbye.exe file to the root of other drives as a file called ClickMe.exe in order to spread the malware.

The researcher Ido Naor noticed that creating a file called ClickMe.exe in the %Temp% folder it is possible to make IsraBye crashes when first starting.

The Index.exe executable displays the lock screen and extracts a wav file and play it.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – IsraBye, wiper)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.