When our security analysis team discovered the malware, the attackers had decided to wipe the server’s disks and completely hide their tracks. Interestingly, the attackers were not satisfied with one-time destruction and set the malware to repeatedly perform the data destruction at intervals. Maybe they thought that this way if the system administrator reinstalls the operating system, the entire hard drive will be destroyed again after a while. Clearly, they didn’t think their malware will be found.
But unlike other “wiper” malware, this is not a one-time hit-and-run disposable malware. It is designed to stay under the radar for extended periods. One of the important features of this malware is the manipulation of the iLO firmware upgrade routine so that if the system administrator tries to upgrade the iLO firmware to a new version, the malware simulates the version change while preventing the upgrade routine. To this end, the malware pretends the upgrade to be successful, with all the right messages and logs. Even the exact number of firmware versions is extracted and displayed in appropriate places in the web console and other locations, although in fact no upgrade has been performed.
