Iranian hackers deploy new ZeroCleare data-wiping malware

hdd destroyed

Image: Markus Spiske

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

Security researchers from IBM said today they identified a new strain of destructive data-wiping malware that was developed by Iranian state-sponsored hackers and deployed in cyber-attacks against energy companies active in the Middle East.

IBM did not name the companies that have been targeted and had data wiped in recent attacks.

Instead, IBM’s X-Force security team focused on analyzing the malware itself, which they named ZeroCleare.

A 28-page PDF report is available on the tool’s capabilities, which IBM said it closely resembles Shamoon, one of the most dangerous and destructive malware strains of the past decade. A summary of this report’s main findings is in the article below.

Created by APT33 and APT34

Unlike many cyber-security firms, IBM’s X-Force team did not shy away from attributing the malware and the attacks to a specific country — in this case, Iran.

“Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation-state adversaries were involved to develop and deploy this new wiper,” the IBM security team said.

But unlike many previous cyber-attacks, which are usually carried out by one single group, IBM said this malware and the attacks behind appear to be the efforts of a collaboration between Iran’s top two government-backed hacking units.

According to IBM, the ZeroCleare malware is the brainchild of APT33 (Hive0016 in the IBM report) and APT34 (ITG13 in the IBM report, also known as Oilrig).

The names are well known in the cyber-security industry. APT33 is the group that developed the original Shamoon malware that was first deployed in 2012 and used to destroy data on 35,000 workstations belonging to Saudi Aramco, Saudi Arabia’s national oil company.

APT34 is, by far, Iran’s most active hacking group today. The group suffered a major breach in this year’s spring when an unknown entity leaked the source code for various of its tools on Telegram.

The ZeroCleare malware

As for the malware itself, ZeroCleare is your classic “wiper,” a strain of malware designed to delete as much data as possible from an infected host.

Wiper malware is usually used in two scenarios. It’s either used to mask intrusions by deleting crucial forensic evidence or it’s used to damage a victim’s ability to carry out its normal business activity — as was the case of attacks like Shamoon, NotPetya, or Bad Rabbit.

While researching the recent ZeroCleare attacks, IBM said it identified two versions of the malware. One was created for 32-bit systems and a second for 64-bit systems. Of the two, IBM said that only the 64-bit version actually worked.

Researchers said that attacks usually began with the hackers executing brute-force attacks to gain access to weakly secured company network accounts.

Once they gained access to a company’s server account, they exploited a SharePoint vulnerability to install web shells like China Chopper and Tunna.

Once attackers had a foothold inside a company, they spread laterally inside the network to as many computers as possible, where they deployed ZeroCleare as the last step of their infection.

“To gain access to the device’s core, ZeroCleare used an intentionally vulnerable driver and malicious PowerShell/Batch scripts to bypass Windows controls,” IBM said.

Once ZeroCleare had elevated privileges on a host, it would load EldoS RawDisk, a legitimate toolkit for interacting with files, disks, and partitions.

The malware then abused this legitimate tool to “wipe the MBR and damage disk partitions on a large number of networked devices,” researchers said.


IBM researchers point out that recent versions of the Shamoon malware used as recent as last year, also abused the same Eldos RawDisk toolkit for its “destructive” behavior.

Other artifacts and indicators of compromise detailed in IBM’s report tied ZeroCleare to APT33 and APT34.

Attacks happened this fall, were “targeted”

While IBM didn’t share any details about ZeroCleare victims, an IBM daily threat assessment sent this fall suggests IBM first learned of this new malware and attacks around September 20.

IBM said that none of the ZeroCleare attacks were opportunistic and appeared to be targeted against very specific organizations.

Past Shamoon attacks targeted companies in the energy sector that were active in the Middle East region, companies that were either Saudi-based or known partners for Saudi-based oil & gas enterprises.

Source Article from
Iranian hackers deploy new ZeroCleare data-wiping malware
Latest blogs for ZDNet
Latest blogs for ZDNet×144.png

Article written by

great guy, love the news