A post on Securelist has detailed upon a rather new malware found in the Middle East, dubbed Narilam. A mention of it came by in a recent analysis by Symantec, and this post now reveals that it seems to have been designed to corrupt databases. Going by the database structure naming, it is being believed that its targets are likely to be in Iran. 

The malware

Narilam is believed to be “almost extinct” currently

Kaspersky Lab Expert, GReAT, shares that Kaspersky has identified many samples pertaining to this threat. “All of them are ~1.5MB Windows PE executables, compiled with Borland C++ Builder. If we are to trust the compilation headers, they appear to have been created in 2009-2010, which means it might have been in the wild for a while,” he adds. Interestingly, he shares that the earliest known sample contains the timestamp of “Thu Sep 03 19:21:05 2009”. As per information at hand, Kaspersky Security Network believes that currently there are very few instances of the malware, giving the idea that it may probably be extinct. It has been known that the earliest report on the citing of the malware came in August 2010, and there have been about 80 instances recorded since. 

GReAT shares that many versions of this Trojan have been detected by Kaspersky products as Trojan.Win32.Scar.cvcw and Trojan.Win32.Scar.dlvc. In fact, there have been a host of newer versions of the malware that were detected heuristically by Kaspersky products as HEUR:Trojan.Win32.Generic. 

Interestingly, he offers that the Narilam malware may even be related to a chain of attacks that targeted Iran in the past two years. He, however quickly adds that through their analysis of the sample at least, they found no obvious connection with the aforementioned threats. “Duqu, Stuxnet, Flame and Gauss have all been compiled with versions of Microsoft Visual C, while Narilam was built with Borland C++ Builder 6 (and not Delphi, as other articles seem to suggest), a completely different programming tool,” he clarifies. 

While one could possibly go by the aforementioned timestamp on the sample, GReAT offers that it is not uncommon that timestamps are faked. To this end, they considered the option of finding other proof – they found a CERT alert from two years ago, which he says “appears to relate to this malware.”

The CERT alert in 2010 detailed upon a malware with slightly different size, but the same payload: “The malware changes in the database tables, integrated systems Amin, Maliran, Shahd.” An alternative name for it is “Trojan.AKK”.

Interestingly, a more recent instance came by just last week when the Iranian Maher CERT team published an alert about the malware, wherein they say that it was 'previously detected and reported online in 2010'.

As known by now, the malware seems to target databases with some very specific names: maliran, shahd and amin. The way this works is that it randomly deletes records from several tables named “A_Sellers”, “Koll” or “Moein”:

Moreover, an Iranian company named “TarrahSystem” alerted about “W32.Narilam” targeting some of its software. GReAT shares a rough translation of the alert, which advises users to prepare backups, since the new malware (W32.Narilam) was targeting “financial software”. Both “maliran” and “amin” appear to be products from TarrahSystem. 

Shedding some more light, the post classifies it further::

  • Maliran – Integrated Financial and Industrial Applications 
  • Amin – Banking and Loans Software 
  • Shahd (“Nectar”) – Integrated Financial / Commercial Software

Taking in all the information available on Narilam at the moment, the post adds that it is a fairly old threat and was put in action during late 2009 and mid-2010. The malware works towards corrupting databases of three financial applications from TarrahSystem, namely Maliran, Amin and Shahd. As it appears now, there were several variants that may have been created, but all of them have been found to have the same functionality and method of replication.

Kaspersky Security Network has shared in its reports that the malware was found mostly in Iran (60 percent) and Afghanistan (40 percent). “At the moment, we do not see any direct connection with other recent destructive malware (such as Shamoon or Wiper). Unlike Duqu or Flame, there is no apparent cyberespionage function,” the post adds. 

GReAT shares that the Narilam malware is presently almost extinct and just six instances of it surfaced during the past month. 

Cover Image credit: Getty Images

Tags: , , , , ,