Iranian hackers used new ZeroCleare malware
IBM experts have revealed a new malware ZeroCleare, which created and used Iranian hackers. ZeroCleare targets power companies operating in the Middle East.
Researchers did not disclose the names of the victims companies, but analysis of the malware presents a 28-page detailed report.“The ZeroCleare malware is the development of two Iranian hack groups: xHunt (Hive0081 in an IBM report) and APT34 (ITG13 in an IBM report, also known as Oilrig)”, – IBM security experts say.
Technically, ZeroCleare is a classic wiper, so, malware designed to intentionally destroy data on an infected host.
Such malware is usually used either to disguise other attacks and to remove important evidence of hacking, or to sabotage, to cause maximum damage to the victim and prevent her from performing her usual activities, as was the case with Shamoon, NotPetya or Bad Rabbit attacks.
Read also: As a result of an unsuccessful attack on Vertcoin, a cybercriminal lost money
IBM discovered two versions of malvari: one designed for 32-bit systems, and the second for 64-bit systems. Moreover, only the 64-bit version actually works.
“Attacks by attackers usually start with the usual brute force to gain access to weakly protected company credentials. They then used the SharePoint vulnerability to install web-sells such as China Chopper and Tunna”, – experts of IBM tell.
Having gained a foothold in the company’s network, hackers penetrated as many computers as possible, and then deployed a ZeroCleare attack on the network. To gain access to the device’s core, ZeroCleare uses a deliberately vulnerable driver and malicious PowerShell / Batch scripts to bypass Windows security features. After receiving the necessary privileges on the host, the malware loads EldoS RawDisk, a legitimate toolkit for working with files, disks and partitions. It is used to erase MBR and damage disk partitions on all possible network devices.
Another well-known wiper, Shamoon, created by another Iranian group – APT33, previously used a similar tactic (Hive0016).