5 December 2019

New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East


New destructive wiper ZeroCleare targets industrial and energy organizations in the Middle East

IBM’s security researchers uncovered previously unknown malware that appears to be developed by Iranian hackers and was used in destructive data-wiping attack against industrial and energy entities in the Middle East.

The new malware, dubbed “ZeroCleare”, bears some similarity with the infamous Shamoon wiper that damaged tens of thousands computers at oil giant Saudi Aramco in 2012 in that that it also overwrites the master boot record (MBR) and disk partitions of Windows-based systems using the legitimate EldoS RawDisk tool and leverages vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls. However, the researchers believe that ZeroCleare isn’t related to the Shamoon malware family, as they didn’t find any similarities in the malware’s code.

ZeroCleare was spread to numerous devices on the affected network, with the intent of causing several damages to the target organization. According to IBM, the ZeroCleare attacks were not opportunistic, but rather aimed at specific organizations. The experts also believe that ZeroCleare was developed by a well-known Iranian-sponsored threat actor APT34/OilRig (aka ITG13) and the attacks were carried out in collaboration with another unnamed group, likely based out of Iran.

“The general flow of events on 64-bit machines includes using a vulnerable, signed driver and then exploiting it on the target device to allow ZeroCleare to bypass the Windows hardware abstraction layer and avoid some operating system safeguards that prevent unsigned drivers from running on 64-bit machines,” the report revealed.

“This workaround has likely been used because 64-bit Windows-based devices are protected with Driver Signature Enforcement (DSE).”

Researchers said that initial stage of attacks involved hackers executing brute-force attacks to gain access to company network accounts. From there they would attempt to exploit a SharePoint vulnerability to install web shells like China Chopper and Tunna. X-Force IRIS team also found an additional web shell named extension.aspx, which shared similarities with another OilRig’s tool known as TWOFACE/SEASHARPEE, a webshell designed to run on webservers with ASP.NET.

The hackers also used legitimate remote-access software, such as TeamViewer, as well as an obfuscated version of Mimikatz to collect credentials from compromised servers, the researchers said.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024