IBM’s security researchers uncovered previously unknown malware that appears to be developed by Iranian hackers and was used in destructive data-wiping attack against industrial and energy entities in the Middle East.
The new malware, dubbed “ZeroCleare”, bears some similarity with the infamous Shamoon wiper that damaged tens of thousands computers at oil giant Saudi Aramco in 2012 in that that it also overwrites the master boot record (MBR) and disk partitions of Windows-based systems using the legitimate EldoS RawDisk tool and leverages vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls. However, the researchers believe that ZeroCleare isn’t related to the Shamoon malware family, as they didn’t find any similarities in the malware’s code.
ZeroCleare was spread to numerous devices on the affected network, with the intent of causing several damages to the target organization. According to IBM, the ZeroCleare attacks were not opportunistic, but rather aimed at specific organizations. The experts also believe that ZeroCleare was developed by a well-known Iranian-sponsored threat actor APT34/OilRig (aka ITG13) and the attacks were carried out in collaboration with another unnamed group, likely based out of Iran.
“The general flow of events on 64-bit machines includes using a vulnerable, signed driver and then exploiting it on the target device to allow ZeroCleare to bypass the Windows hardware abstraction layer and avoid some operating system safeguards that prevent unsigned drivers from running on 64-bit machines,” the report revealed.
“This workaround has likely been used because 64-bit Windows-based devices are protected with Driver Signature Enforcement (DSE).”
Researchers said that initial stage of attacks involved hackers executing brute-force attacks to gain access to company network accounts. From there they would attempt to exploit a SharePoint vulnerability to install web shells like China Chopper and Tunna. X-Force IRIS team also found an additional web shell named extension.aspx, which shared similarities with another OilRig’s tool known as TWOFACE/SEASHARPEE, a webshell designed to run on webservers with ASP.NET.
The hackers also used legitimate remote-access software, such as TeamViewer, as well as an obfuscated version of Mimikatz to collect credentials from compromised servers, the researchers said.