Lotus is a previously undocumented data-wiping malware used last year in targeted attacks against Venezuelan energy and utilities organizations, and it was analyzed by Kaspersky after being uploaded from a machine in Venezuela. Attackers used preparatory batch scripts to disable defenses, wipe drives with tools like diskpart/robocopy/fsutil, and then deploy the Lotus wiper to overwrite physical sectors, delete recovery mechanisms, and render systems unrecoverable. #Lotus #PDVSA
Keypoints
- Lotus was used in targeted attacks against Venezuelan energy and utilities and uploaded from a machine in Venezuela in mid-December.
- Initial batch script OhSyncNow.bat disables the UI0Detect service and coordinates execution across domain-joined systems.
- The follow-up script notesreg.bat enumerates and disables accounts, logs off sessions, and disables network interfaces to hinder recovery and response.
- Attackers use diskpart clean all, robocopy, and fsutil to overwrite drives and fill free space before decrypting and running the Lotus wiper.
- Lotus interacts with disks via IOCTL calls to overwrite physical sectors, clear the USN journal, delete restore points, and zero files, and Kaspersky recommends monitoring for NETLOGON share changes and unexpected diskutil/robocopy/diskpart activity and maintaining offline backups.