Full Report
A previously undocumented data-wiping malware dubbed Lotus was used last year in targeted attacks against energy and utilities organizations in Venezuela. [...]
Analysis Summary
# Tool/Technique: Lotus Wiper
## Overview
Lotus is a previously undocumented, highly destructive data-wiping malware used in targeted attacks against the energy and utility sectors in Venezuela. Its primary purpose is to render compromised systems unrecoverable by overwriting physical drives, deleting files, and removing system recovery mechanisms.
## Technical Details
- **Type:** Malware (Data Wiper)
- **Platform:** Windows
- **Capabilities:** Low-level disk overwriting (IOCTL), service manipulation, user account disabling, network interface deactivation, and recovery restoration deletion.
- **First Seen:** Approximately mid-December 2025.
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Disabling ‘UI0Detect’ service)
- [T1070.004 - Indicator Removal on Host: File Deletion] (Clearing USN journals)
- **[TA0040 - Impact]**
- [T1485 - Data Destruction] (Overwriting files and physical drives)
- [T1561.001 - Disk Structure Wipe: Disk Content Wipe] (Using physical sector overwriting)
- [T1561.002 - Disk Structure Wipe: Disk Partition Wipe] (Using ‘diskpart clean all’)
- [T1490 - Inhibit System Recovery] (Deleting Windows restore points)
- **[TA0003 - Persistence]**
- [T1098 - Account Manipulation] (Changing passwords and disabling accounts)
## Functionality
### Core Capabilities
- **Pre-Payload Scripting:** Employs Batch scripts (`OhSyncNow.bat` and `notesreg.bat`) to weaken system defenses before the main wiper execution.
- **Service & Defense Disruption:** Disables the `UI0Detect` service and deactivates cached logins.
- **Account Sabotage:** Enumerates users, changes passwords to disable accounts, and terminates active sessions.
- **Network Isolation:** Disables all network interfaces to prevent remote intervention or data exfiltration.
- **Drive Wiping:** Uses `diskpart clean all` to overwrite drives with zeros and `fsutil` to create large files that fill all remaining free space.
### Advanced Features
- **Low-Level Interaction:** Uses IOCTL calls to interact directly with hardware, retrieving disk geometry to overwrite physical sectors rather than just logical volumes.
- **Evidence Removal:** Clears Update Sequence Number (USN) journal entries to eliminate traces of file system activity.
- **Anti-Recovery:** Systematically deletes all Windows Volume Shadow Copies/Restore Points via the Windows System Restore API.
- **Redundant Destruction:** Performs multiple cycles of drive wiping and file zeroing, followed by random renaming of files to ensure they cannot be recovered.
## Indicators of Compromise
- **File Names:**
- `OhSyncNow.bat` (Initial stage)
- `notesreg.bat` (Secondary stage)
- **Behavioral Indicators:**
- Manipulation of the `UI0Detect` service.
- Unusual execution of `diskpart`, `robocopy`, and `fsutil`.
- Mass account lockout or password change activity.
- Sudden disabling of network adapters.
- Unexpected changes to the `NETLOGON` share.
## Associated Threat Actors
- **Unidentified:** While no specific group is named, researchers note the activity aligns with geopolitical tensions in Venezuela. The state-owned oil company, PDVSA, was a primary victim of associated cyber disruptive activity.
## Detection Methods
- **Behavioral Detection:** Monitoring for processes attempting low-level disk access via IOCTL outside of standard administrative tools. Tracking the execution of `diskpart clean all` and mass file renaming/deletion events.
- **Audit Logs:** Monitor Windows Event Logs for mass account changes (Event ID 4724, 4723) and service state changes (Event ID 7036).
- **Network/Share Monitoring:** Watch for unauthorized modifications to the `NETLOGON` share frequently used for script propagation in domain environments.
## Mitigation Strategies
- **Offline Backups:** Maintain regular, verified offline backups. Wipers specifically target online backups and restore points.
- **Privilege Management:** Restrict administrative privileges; the wiper requires high-level tokens to perform low-level disk operations.
- **Endpoint Protection:** Utilize EDR solutions that can detect and block unauthorized use of `diskpart` or the disabling of network interfaces via script.
- **Network Segmentation:** Ensure critical infrastructure is segmented to prevent the propagation of wiper scripts across the domain via `NETLOGON`.
## Related Tools/Techniques
- **DiskPart:** Native Windows utility abused for partition wiping.
- **Fsutil:** Native Windows utility abused for disk space exhaustion.
- **Robocopy:** Abused for overwriting directory contents.