On 4 January 2024, ClearSky provided an analysis of NALC.exe, a malicious executable consistent with the "No-Justice" wiper - a piece of malware attributed to a pro-Iranian actor known as Homeland Justice. This malware was recently used in a number of attacks against Albanian organizations, including telecommunication companies, government institutions and an airline.
The attacks documented in ClearSky report leverage various artifacts including:
A Powershell script with ability to download and install the wiper along side other tools used for discovery and lateral movement (Plink, RevSocks, W2K Res Kit);
The wiper payload which functions by removing the boot signature from the Master Boot Record, preventing the system to load the operating system.
Based on analysis of the Homeland Justice Telegram channel provided with the ClearSky report, the campaign targets Albania because the Albanian city of Durrës reportedly hosts members of the Mojahedin-e-Khalq Organization (MKO), a group antagonist to the Iranian government.