Iranian hackers used new ZeroCleare malware

IBM experts have revealed a new malware ZeroCleare, which created and used Iranian hackers. ZeroCleare targets power companies operating in the Middle East.

Researchers did not disclose the names of the victims companies, but analysis of the malware presents a 28-page detailed report.

“The ZeroCleare malware is the development of two Iranian hack groups: xHunt (Hive0081 in an IBM report) and APT34 (ITG13 in an IBM report, also known as Oilrig)”, – IBM security experts say.

Technically, ZeroCleare is a classic wiper, so, malware designed to intentionally destroy data on an infected host.

Such malware is usually used either to disguise other attacks and to remove important evidence of hacking, or to sabotage, to cause maximum damage to the victim and prevent her from performing her usual activities, as was the case with Shamoon, NotPetya or Bad Rabbit attacks.

Read also: As a result of an unsuccessful attack on Vertcoin, a cybercriminal lost money

IBM discovered two versions of malvari: one designed for 32-bit systems, and the second for 64-bit systems. Moreover, only the 64-bit version actually works.

“Attacks by attackers usually start with the usual brute force to gain access to weakly protected company credentials. They then used the SharePoint vulnerability to install web-sells such as China Chopper and Tunna”, – experts of IBM tell.

Having gained a foothold in the company’s network, hackers penetrated as many computers as possible, and then deployed a ZeroCleare attack on the network. To gain access to the device’s core, ZeroCleare uses a deliberately vulnerable driver and malicious PowerShell / Batch scripts to bypass Windows security features. After receiving the necessary privileges on the host, the malware loads EldoS RawDisk, a legitimate toolkit for working with files, disks and partitions. It is used to erase MBR and damage disk partitions on all possible network devices.

Another well-known wiper, Shamoon, created by another Iranian group – APT33, previously used a similar tactic (Hive0016).

It is unclear whether APT33 participated in the creation of ZeroCleare. The fact is that in the initial version of the report, IBM claimed that APT33 and APT34 created ZeroCleare, but soon after the publication the document was updated, the attribution changed to xHunt and APT34, and the researchers admitted that they did not have one hundred percent confidence.
[Total: 0    Average: 0/5]
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

HackerOne opened access to information

HackerOne Analyst Opens Researcher Access to Confidential Information

HackerOne spoke about an incident that recently occurred because of the fault of one of …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.